From 13e980cbe2f6ab85ae7dbb6e92b443e09ecbfbd9 Mon Sep 17 00:00:00 2001
From: Rafal Rabenda <rafal@genlayerlabs.com>
Date: Wed, 6 May 2026 12:30:22 +0200
Subject: [PATCH] ci: scope down release/sync-docs to dedicated GitHub Apps

Replace the over-privileged shared CI bot with two dedicated, minimally
scoped GitHub Apps gated behind protected environments. Mirrors the
same change in genlayer-testing-suite#78 and genlayer-cli#297.

- publish.yml: rename environment npm -> Publish, switch from
  tibdex/github-app-token@v1 (archived) to actions/create-github-app-token@v3
  with vars.PUBLISH_CI_APP_CLIENT_ID + secrets.PUBLISH_CI_APP_KEY.
- sync-docs.yml: bump create-github-app-token to @v3, switch to
  client-id, gate behind the Sync-docs environment with
  vars.DOCS_SYNC_APP_CLIENT_ID + secrets.DOCS_SYNC_APP_KEY.

Each App should be installed only on the repos it needs (Publish: this
repo only; Sync-docs: this repo + genlayer-docs) with Contents: read
& write as the only permission.
---
 .github/workflows/publish.yml   | 8 ++++----
 .github/workflows/sync-docs.yml | 5 +++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 35096d0..359ba26 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -13,14 +13,14 @@ permissions:
 jobs:
   release:
     runs-on: ubuntu-latest
-    environment: npm
+    environment: Publish
     steps:
       - name: Get CI Bot Token
-        uses: tibdex/github-app-token@v1
+        uses: actions/create-github-app-token@v3
         id: ci_bot_token
         with:
-          app_id: ${{ secrets.CI_BOT_APP_ID }}
-          private_key: ${{ secrets.CI_BOT_SECRET }}
+          client-id: ${{ vars.PUBLISH_CI_APP_CLIENT_ID }}
+          private-key: ${{ secrets.PUBLISH_CI_APP_KEY }}
 
       - name: Checkout source code
         uses: actions/checkout@v4
diff --git a/.github/workflows/sync-docs.yml b/.github/workflows/sync-docs.yml
index 5e1e4e8..5ff3ec7 100644
--- a/.github/workflows/sync-docs.yml
+++ b/.github/workflows/sync-docs.yml
@@ -9,6 +9,7 @@ jobs:
   generate-and-sync:
     if: github.event_name != 'release' || !contains(github.event.release.tag_name, '-')
     runs-on: ubuntu-latest
+    environment: Sync-docs
     permissions:
       contents: read
     steps:
@@ -38,9 +39,9 @@ jobs:
 
       - name: Generate docs repo token
         id: app-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v3
         with:
-          app-id: ${{ vars.DOCS_SYNC_APP_ID }}
+          client-id: ${{ vars.DOCS_SYNC_APP_CLIENT_ID }}
           private-key: ${{ secrets.DOCS_SYNC_APP_KEY }}
           repositories: genlayer-docs