diff options
| author | Yuriy Andamasov <yuriy@vyos.io> | 2026-06-03 03:32:24 +0300 |
|---|---|---|
| committer | Yuriy Andamasov <yuriy@vyos.io> | 2026-06-03 03:32:24 +0300 |
| commit | 459109f13adf026d012c4e803f4a86a8f84e6ce3 (patch) | |
| tree | 320c23897bfdca60bb4bd9ef3aba142a36e83d34 /.github/workflows | |
| parent | 1d27b404815049815b0e9327e7ec3482ec2ecbfa (diff) | |
| download | vyos-documentation-459109f13adf026d012c4e803f4a86a8f84e6ce3.tar.gz vyos-documentation-459109f13adf026d012c4e803f4a86a8f84e6ce3.zip | |
T8960: ai-validation — mint vyos-bot token via get-token@production
Swap the cross-repo-checkout token from the dedicated vyos-docs-reviewer
App (VYOS_APP_ID/_PRIVATE_KEY) to the shared vyos-bot App via the fleet
get-token composite, scoped contents:read. Skip-check now gates on
APP_CLIENT_ID + APP_PRIVATE_KEY + ANTHROPIC_API_KEY (org-level vyos-bot
creds); reword the stale token comment. PR-comment posting still uses
the default GITHUB_TOKEN. Byte-identical to the paired reference copy in
VyOS-Networks/vyos-docs-opus-reviewer (scripts/ai-validation.yml).
🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to '.github/workflows')
| -rw-r--r-- | .github/workflows/ai-validation.yml | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index ed0d3e5e..a6c459ef 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -257,8 +257,8 @@ jobs: id: secrets-check env: PR_AUTHOR: ${{ github.event.pull_request.user.login }} - VYOS_APP_ID: ${{ secrets.VYOS_APP_ID }} - VYOS_APP_PRIVATE_KEY: ${{ secrets.VYOS_APP_PRIVATE_KEY }} + APP_CLIENT_ID: ${{ vars.APP_CLIENT_ID }} + APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} run: | # Skip on Mergify-authored PRs (backport PRs, queue PRs). The @@ -277,8 +277,8 @@ jobs: printf '::notice::Skipping AI validation — PR authored by %s (already reviewed on source PR)\n' "$PR_AUTHOR" exit 0 fi - if [ -z "$VYOS_APP_ID" ] \ - || [ -z "$VYOS_APP_PRIVATE_KEY" ] \ + if [ -z "$APP_CLIENT_ID" ] \ + || [ -z "$APP_PRIVATE_KEY" ] \ || [ -z "$ANTHROPIC_API_KEY" ]; then echo "skip=true" >> "$GITHUB_OUTPUT" echo "skip_reason=missing-secrets" >> "$GITHUB_OUTPUT" @@ -309,7 +309,7 @@ jobs: run: | gh pr comment "${{ github.event.pull_request.number }}" \ --repo "${{ github.repository }}" \ - --body "AI Validation skipped — required secrets are not configured on this repo (\`ANTHROPIC_API_KEY\`, \`VYOS_APP_ID\`, \`VYOS_APP_PRIVATE_KEY\`). Maintainers: see the workflow run for details." + --body "AI Validation skipped — required secrets are not configured on this repo (\`ANTHROPIC_API_KEY\`; the org-level vyos-bot \`APP_CLIENT_ID\` + \`APP_PRIVATE_KEY\` must also be present). Maintainers: see the workflow run for details." # Check out the PR's MERGE REF into the workspace root. Required by # anthropics/claude-code-action@v1: it runs `git fetch origin @@ -391,12 +391,13 @@ jobs: - name: Generate GitHub App token if: steps.secrets-check.outputs.skip != 'true' id: app - uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 + uses: vyos/.github/.github/actions/get-token@production with: - app-id: ${{ secrets.VYOS_APP_ID }} - private-key: ${{ secrets.VYOS_APP_PRIVATE_KEY }} owner: VyOS-Networks + client-id: ${{ vars.APP_CLIENT_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} repositories: vyos-1x,vyos-docs-opus-reviewer + permissions: '{"contents":"read"}' - name: Sparse-checkout branches.json from reviewer if: steps.secrets-check.outputs.skip != 'true' @@ -587,8 +588,9 @@ jobs: # claude_args block below) # - github_token is the workflow's PR-scoped default token # (pull-requests:write + issues:write + contents:read) — - # NOT the broader VYOS_APP_ID token, which is only used for - # the vyos-1x / reviewer-source checkouts + # NOT the vyos-bot App token, which is scoped to contents:read + # on the VyOS-Networks org repos for the vyos-1x / + # reviewer-source checkouts above # - the prompt explicitly marks PR content as untrusted with # <UNTRUSTED-PR-CONTENT> markers and tells Claude to treat # it as data, not instructions |
