summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-06-03 03:32:24 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-06-03 03:32:24 +0300
commit459109f13adf026d012c4e803f4a86a8f84e6ce3 (patch)
tree320c23897bfdca60bb4bd9ef3aba142a36e83d34
parent1d27b404815049815b0e9327e7ec3482ec2ecbfa (diff)
downloadvyos-documentation-459109f13adf026d012c4e803f4a86a8f84e6ce3.tar.gz
vyos-documentation-459109f13adf026d012c4e803f4a86a8f84e6ce3.zip
T8960: ai-validation — mint vyos-bot token via get-token@production
Swap the cross-repo-checkout token from the dedicated vyos-docs-reviewer App (VYOS_APP_ID/_PRIVATE_KEY) to the shared vyos-bot App via the fleet get-token composite, scoped contents:read. Skip-check now gates on APP_CLIENT_ID + APP_PRIVATE_KEY + ANTHROPIC_API_KEY (org-level vyos-bot creds); reword the stale token comment. PR-comment posting still uses the default GITHUB_TOKEN. Byte-identical to the paired reference copy in VyOS-Networks/vyos-docs-opus-reviewer (scripts/ai-validation.yml). 🤖 Generated by [robots](https://vyos.io)
-rw-r--r--.github/workflows/ai-validation.yml22
1 files changed, 12 insertions, 10 deletions
diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml
index ed0d3e5e..a6c459ef 100644
--- a/.github/workflows/ai-validation.yml
+++ b/.github/workflows/ai-validation.yml
@@ -257,8 +257,8 @@ jobs:
id: secrets-check
env:
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
- VYOS_APP_ID: ${{ secrets.VYOS_APP_ID }}
- VYOS_APP_PRIVATE_KEY: ${{ secrets.VYOS_APP_PRIVATE_KEY }}
+ APP_CLIENT_ID: ${{ vars.APP_CLIENT_ID }}
+ APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
# Skip on Mergify-authored PRs (backport PRs, queue PRs). The
@@ -277,8 +277,8 @@ jobs:
printf '::notice::Skipping AI validation — PR authored by %s (already reviewed on source PR)\n' "$PR_AUTHOR"
exit 0
fi
- if [ -z "$VYOS_APP_ID" ] \
- || [ -z "$VYOS_APP_PRIVATE_KEY" ] \
+ if [ -z "$APP_CLIENT_ID" ] \
+ || [ -z "$APP_PRIVATE_KEY" ] \
|| [ -z "$ANTHROPIC_API_KEY" ]; then
echo "skip=true" >> "$GITHUB_OUTPUT"
echo "skip_reason=missing-secrets" >> "$GITHUB_OUTPUT"
@@ -309,7 +309,7 @@ jobs:
run: |
gh pr comment "${{ github.event.pull_request.number }}" \
--repo "${{ github.repository }}" \
- --body "AI Validation skipped — required secrets are not configured on this repo (\`ANTHROPIC_API_KEY\`, \`VYOS_APP_ID\`, \`VYOS_APP_PRIVATE_KEY\`). Maintainers: see the workflow run for details."
+ --body "AI Validation skipped — required secrets are not configured on this repo (\`ANTHROPIC_API_KEY\`; the org-level vyos-bot \`APP_CLIENT_ID\` + \`APP_PRIVATE_KEY\` must also be present). Maintainers: see the workflow run for details."
# Check out the PR's MERGE REF into the workspace root. Required by
# anthropics/claude-code-action@v1: it runs `git fetch origin
@@ -391,12 +391,13 @@ jobs:
- name: Generate GitHub App token
if: steps.secrets-check.outputs.skip != 'true'
id: app
- uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
+ uses: vyos/.github/.github/actions/get-token@production
with:
- app-id: ${{ secrets.VYOS_APP_ID }}
- private-key: ${{ secrets.VYOS_APP_PRIVATE_KEY }}
owner: VyOS-Networks
+ client-id: ${{ vars.APP_CLIENT_ID }}
+ private-key: ${{ secrets.APP_PRIVATE_KEY }}
repositories: vyos-1x,vyos-docs-opus-reviewer
+ permissions: '{"contents":"read"}'
- name: Sparse-checkout branches.json from reviewer
if: steps.secrets-check.outputs.skip != 'true'
@@ -587,8 +588,9 @@ jobs:
# claude_args block below)
# - github_token is the workflow's PR-scoped default token
# (pull-requests:write + issues:write + contents:read) —
- # NOT the broader VYOS_APP_ID token, which is only used for
- # the vyos-1x / reviewer-source checkouts
+ # NOT the vyos-bot App token, which is scoped to contents:read
+ # on the VyOS-Networks org repos for the vyos-1x /
+ # reviewer-source checkouts above
# - the prompt explicitly marks PR content as untrusted with
# <UNTRUSTED-PR-CONTENT> markers and tells Claude to treat
# it as data, not instructions