ci: scope down release/sync-docs to dedicated GitHub Apps

[rrabenda]

Summary

Reduce the attack surface of release & docs-sync workflows by replacing the shared, over-privileged CI bot with two dedicated, minimally scoped GitHub Apps gated behind protected environments. Mirrors the same change in genlayer-testing-suite#78, genlayer-cli#297, and genlayer-js#168.

• publish.yml — gate release-and-upload behind the Publish environment, switched from the archived tibdex/github-app-token@v1 to the official actions/create-github-app-token@v3. Reads vars.PUBLISH_CI_APP_CLIENT_ID and secrets.PUBLISH_CI_APP_KEY.
• sync-docs.yml — bumped actions/create-github-app-token to @v3, switched to the explicit client-id parameter, gated behind the Sync-docs environment. Reads vars.DOCS_SYNC_APP_CLIENT_ID and secrets.DOCS_SYNC_APP_KEY. Cross-repo repositories: genlayer-docs token request is preserved.

Each App should be installed only on the repos it needs (Publish: this repo only; Sync-docs: this repo + genlayer-docs) with Contents: Read & write as the only permission.

Pre-merge checklist (GitHub side)

• Publish environment exists with PUBLISH_CI_APP_CLIENT_ID (variable) and PUBLISH_CI_APP_KEY (secret)
• Sync-docs environment exists with DOCS_SYNC_APP_CLIENT_ID (variable) and DOCS_SYNC_APP_KEY (secret)
• Both Apps installed on genlayer-py (sync-docs App also on genlayer-docs) with only Contents: Read & write
• Publish App added to branch-protection bypass list on main (semantic-release pushes the version-bump commit + tag)
• Sync-docs environment "Deployment branches and tags" allows the v* tag pattern (otherwise release: published on a tag ref will be blocked)

Test plan

• Land a fix: or feat: commit on main and confirm publish.yml mints a token, semantic-release pushes the version bump + tag, the GitHub Release is created, and the PyPI upload succeeds
• Confirm sync-docs.yml fires automatically on release: published and pushes the API-reference update to genlayer-docs
• Once verified, decommission the old shared CI App from this repo and rotate / revoke its secrets

Notes

• publish-to-pypi job still reads secrets.PYPI_API_TOKEN from repo secrets directly (not gated behind an environment). Left as-is to keep this PR scoped, but moving it under Publish would add the same protection rules to PyPI uploads — happy to do that in a follow-up if desired.

[coderabbitai]

Warning

Rate limit exceeded

@rrabenda has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 39 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ebdb4beb-72b6-4b7a-bf08-ac6cfa43ef96

📥 Commits

Reviewing files that changed from the base of the PR and between cf421ed and 7a035b4.

📒 Files selected for processing (2)

• .github/workflows/publish.yml
• .github/workflows/sync-docs.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/scope-down-release-app-tokens

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}