Skip to content

Commit 2af1767

Browse files
luandroluandro
committed
chore(ci): use CONTENT_REPO_TOKEN for Fly runtime auth
1 parent 09d8a74 commit 2af1767

File tree

2 files changed

+21
-17
lines changed

2 files changed

+21
-17
lines changed

.github/workflows/deploy-api-fly.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
DATABASE_ID: ${{ secrets.DATABASE_ID }}
2323
DATA_SOURCE_ID: ${{ secrets.DATA_SOURCE_ID }}
2424
GITHUB_REPO_URL: ${{ github.server_url }}/${{ github.repository }}
25-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
25+
CONTENT_REPO_TOKEN: ${{ secrets.CONTENT_REPO_TOKEN }}
2626
GIT_AUTHOR_NAME: ${{ secrets.GIT_AUTHOR_NAME }}
2727
GIT_AUTHOR_EMAIL: ${{ secrets.GIT_AUTHOR_EMAIL }}
2828
NOTION_TRIGGER_API_KEY: ${{ secrets.NOTION_TRIGGER_API_KEY }}
@@ -50,7 +50,7 @@ jobs:
5050
require_secret "FLY_API_TOKEN" "${FLY_API_TOKEN}"
5151
require_secret "FLY_APP_NAME" "${FLY_APP_NAME}"
5252
require_secret "NOTION_API_KEY" "${NOTION_API_KEY}"
53-
require_secret "GITHUB_TOKEN" "${GITHUB_TOKEN}"
53+
require_secret "CONTENT_REPO_TOKEN" "${CONTENT_REPO_TOKEN}"
5454
require_secret "GIT_AUTHOR_NAME" "${GIT_AUTHOR_NAME}"
5555
require_secret "GIT_AUTHOR_EMAIL" "${GIT_AUTHOR_EMAIL}"
5656
require_secret "NOTION_TRIGGER_API_KEY" "${NOTION_TRIGGER_API_KEY}"
@@ -113,7 +113,7 @@ jobs:
113113
fly_secrets=(
114114
"NOTION_API_KEY=${NOTION_API_KEY}"
115115
"GITHUB_REPO_URL=${GITHUB_REPO_URL}"
116-
"GITHUB_TOKEN=${GITHUB_TOKEN}"
116+
"GITHUB_TOKEN=${CONTENT_REPO_TOKEN}"
117117
"GIT_AUTHOR_NAME=${GIT_AUTHOR_NAME}"
118118
"GIT_AUTHOR_EMAIL=${GIT_AUTHOR_EMAIL}"
119119
"NOTION_TRIGGER_API_KEY=${NOTION_TRIGGER_API_KEY}"

context/workflows/api-service-deployment.md

Lines changed: 18 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -484,16 +484,19 @@ Navigate to your repository on GitHub and add these secrets:
484484

485485
#### Fly Deployment Secrets (Required for API auto-deploy workflow)
486486

487-
| Secret Name | Value | Used By Workflows |
488-
| --------------- | ----------------------------------------------------- | ------------------------- |
489-
| `FLY_API_TOKEN` | Fly API token | Deploy API service to Fly |
490-
| `FLY_APP_NAME` | Fly app name (for example `comapeo-docs-api-trigger`) | Deploy API service to Fly |
487+
| Secret Name | Value | Used By Workflows |
488+
| -------------------- | --------------------------------------------------------------------------- | ------------------------- |
489+
| `FLY_API_TOKEN` | Fly API token | Deploy API service to Fly |
490+
| `FLY_APP_NAME` | Fly app name (for example `comapeo-docs-api-trigger`) | Deploy API service to Fly |
491+
| `CONTENT_REPO_TOKEN` | GitHub fine-grained PAT/GitHub App token with `contents:write` on this repo | Deploy API service to Fly |
491492

492493
**Runtime environment secrets (Fly app):**
493494

494495
The workflow syncs these runtime values to the Fly app before each deploy:
495496
`NOTION_API_KEY`, `DATABASE_ID`/`DATA_SOURCE_ID`, `GITHUB_REPO_URL`, `GITHUB_TOKEN`, `GIT_AUTHOR_NAME`, `GIT_AUTHOR_EMAIL`, `NOTION_TRIGGER_API_KEY`, `API_KEY_GITHUB_ACTIONS`, and `DEFAULT_DOCS_PAGE` (fallback `introduction`).
496497

498+
Note: `GITHUB_TOKEN` in Fly runtime is populated from the GitHub Actions secret `CONTENT_REPO_TOKEN` (not from the ephemeral Actions `secrets.GITHUB_TOKEN`).
499+
497500
Example:
498501

499502
```bash
@@ -537,16 +540,16 @@ flyctl secrets set \
537540

538541
### Quick Reference: Secret Requirements by Workflow
539542

540-
| Workflow | Required Secrets | Optional Secrets |
541-
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- |
542-
| API Validate | `API_KEY_GITHUB_ACTIONS`, `NOTION_API_KEY`, `DATABASE_ID`, `DATA_SOURCE_ID`, `OPENAI_API_KEY` | None |
543-
| Deploy API Service to Fly | `FLY_API_TOKEN`, `FLY_APP_NAME`, `NOTION_API_KEY`, `GITHUB_REPO_URL`, `GITHUB_TOKEN`, `GIT_AUTHOR_NAME`, `GIT_AUTHOR_EMAIL`, `NOTION_TRIGGER_API_KEY`, `API_KEY_GITHUB_ACTIONS`, and (`DATABASE_ID` or `DATA_SOURCE_ID`) | `DEFAULT_DOCS_PAGE` |
544-
| Sync Notion Docs | `NOTION_API_KEY`, `DATABASE_ID`, `DATA_SOURCE_ID` | `SLACK_WEBHOOK_URL` |
545-
| Translate Notion Docs | `NOTION_API_KEY`, `DATABASE_ID`, `DATA_SOURCE_ID`, `OPENAI_API_KEY` | `OPENAI_MODEL`, `SLACK_WEBHOOK_URL` |
546-
| Docker Publish | `DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN` | `SLACK_WEBHOOK_URL` |
547-
| Deploy PR Preview | `NOTION_API_KEY`, `DATABASE_ID`, `DATA_SOURCE_ID` | `CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID`, `SLACK_WEBHOOK_URL` |
548-
| Deploy to Production | `NOTION_API_KEY`, `DATABASE_ID`, `DATA_SOURCE_ID` | `CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID`, `SLACK_WEBHOOK_URL` |
549-
| Deploy to GitHub Pages | None (uses GitHub Pages infrastructure) | `SLACK_WEBHOOK_URL` |
543+
| Workflow | Required Secrets | Optional Secrets |
544+
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- |
545+
| API Validate | `API_KEY_GITHUB_ACTIONS`, `NOTION_API_KEY`, `DATABASE_ID`, `DATA_SOURCE_ID`, `OPENAI_API_KEY` | None |
546+
| Deploy API Service to Fly | `FLY_API_TOKEN`, `FLY_APP_NAME`, `CONTENT_REPO_TOKEN`, `NOTION_API_KEY`, `GITHUB_REPO_URL`, `GIT_AUTHOR_NAME`, `GIT_AUTHOR_EMAIL`, `NOTION_TRIGGER_API_KEY`, `API_KEY_GITHUB_ACTIONS`, and (`DATABASE_ID` or `DATA_SOURCE_ID`) | `DEFAULT_DOCS_PAGE` |
547+
| Sync Notion Docs | `NOTION_API_KEY`, `DATABASE_ID`, `DATA_SOURCE_ID` | `SLACK_WEBHOOK_URL` |
548+
| Translate Notion Docs | `NOTION_API_KEY`, `DATABASE_ID`, `DATA_SOURCE_ID`, `OPENAI_API_KEY` | `OPENAI_MODEL`, `SLACK_WEBHOOK_URL` |
549+
| Docker Publish | `DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN` | `SLACK_WEBHOOK_URL` |
550+
| Deploy PR Preview | `NOTION_API_KEY`, `DATABASE_ID`, `DATA_SOURCE_ID` | `CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID`, `SLACK_WEBHOOK_URL` |
551+
| Deploy to Production | `NOTION_API_KEY`, `DATABASE_ID`, `DATA_SOURCE_ID` | `CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID`, `SLACK_WEBHOOK_URL` |
552+
| Deploy to GitHub Pages | None (uses GitHub Pages infrastructure) | `SLACK_WEBHOOK_URL` |
550553

551554
### Step 5.2: Available GitHub Workflows
552555

@@ -879,6 +882,7 @@ After completing deployment, verify:
879882
- [ ] `CLOUDFLARE_ACCOUNT_ID` (for Cloudflare Pages deployments)
880883
- [ ] `FLY_API_TOKEN` (for Fly API deployments)
881884
- [ ] `FLY_APP_NAME` (for Fly API deployments)
885+
- [ ] `CONTENT_REPO_TOKEN` (for Fly API deployments; used as runtime `GITHUB_TOKEN`)
882886
- [ ] API runtime secrets mirrored to Fly (`NOTION_API_KEY`, `DATABASE_ID`/`DATA_SOURCE_ID`, `GITHUB_REPO_URL`, `GITHUB_TOKEN`, `GIT_AUTHOR_NAME`, `GIT_AUTHOR_EMAIL`, `API_KEY_GITHUB_ACTIONS`, `NOTION_TRIGGER_API_KEY`, `DEFAULT_DOCS_PAGE`)
883887
- [ ] `SLACK_WEBHOOK_URL` (for Slack notifications)
884888

0 commit comments

Comments
 (0)