chore(ci): correct secrets for each app usage

[mandarini]

Needed both the GP APP ID for checking membership, and the dogfood app id to allow trigger workflow.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD workflow security and reliability by implementing separate authentication tokens for workflow operations, improving the isolation and scope management of deployment processes.

Walkthrough

The changes modify GitHub Actions workflows to use separate GitHub App credentials for different purposes. The dogfood.yml workflow introduces a new token generation step that creates two distinct tokens: one for team membership verification using existing APP_ID/PRIVATE_KEY secrets, and another for dispatching downstream workflows using new DOGFOOD_APP_ID/DOGFOOD_APP_PRIVATE_KEY secrets. The dogfood token includes owner and repository scope parameters. The publish.yml workflow's "Trigger Dogfood" step is updated to expose both the standard and dogfood-specific secrets to the downstream workflow invocation.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/dogfood.yml (1)

52-59: ⚠️ Potential issue | 🟠 Major

Defer dogfood token minting until after the manual auth gate.

For workflow_dispatch, Lines 52-59 create the downstream-dispatch token before Lines 88-92 reject non-members, and that same token is later used at Line 100. Please move this step below the authorization check, or guard it so manual runs only mint the dogfood token after team-check passes.

Suggested change

-      - name: Generate token for dogfood
-        id: app-token-dogfood
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
-        with:
-          app-id: ${{ secrets.DOGFOOD_APP_ID }}
-          private-key: ${{ secrets.DOGFOOD_APP_PRIVATE_KEY }}
-          owner: supabase
-          repositories: supabase,multiplayer.dev,platform,tests,realtime,ssr,helper-scripts,embeddings-generator,dbdev
-
       - name: Fail if not authorized
         if: ${{ github.event_name == 'workflow_dispatch' && steps.team-check.outputs.is_team_member != 'true' }}
         run: |
           echo "You must be a member of `@supabase/admin` or `@supabase/sdk`."
           exit 1
+
+      - name: Generate token for dogfood
+        if: ${{ github.event_name != 'workflow_dispatch' || steps.team-check.outputs.is_team_member == 'true' }}
+        id: app-token-dogfood
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
+        with:
+          app-id: ${{ secrets.DOGFOOD_APP_ID }}
+          private-key: ${{ secrets.DOGFOOD_APP_PRIVATE_KEY }}
+          owner: supabase
+          repositories: supabase,multiplayer.dev,platform,tests,realtime,ssr,helper-scripts,embeddings-generator,dbdev

Also applies to: 100-100

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dogfood.yml around lines 52 - 59, The dogfood token is
being minted before the manual auth gate; move or guard the "Generate token for
dogfood" step (id: app-token-dogfood, name: Generate token for dogfood) so it
runs only after the authorization step "team-check" has passed (or add a
conditional that requires the team-check result for workflow_dispatch), ensuring
the downstream-dispatch token is created only when the manual auth gate allows
it and prior usage at the later dispatch step is safe.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/dogfood.yml:
- Around line 52-59: The dogfood token is being minted before the manual auth
gate; move or guard the "Generate token for dogfood" step (id:
app-token-dogfood, name: Generate token for dogfood) so it runs only after the
authorization step "team-check" has passed (or add a conditional that requires
the team-check result for workflow_dispatch), ensuring the downstream-dispatch
token is created only when the manual auth gate allows it and prior usage at the
later dispatch step is safe.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: aad9b404-4d4b-40a9-a971-7f0423095458

📥 Commits

Reviewing files that changed from the base of the PR and between 4cfa1b8 and fa9cf21.

📒 Files selected for processing (2)

• .github/workflows/dogfood.yml
• .github/workflows/publish.yml