Skip to content

docs(auth): add ontologies/MIF to the pages app's consumers#44

Merged
zircote merged 2 commits into
mainfrom
feat/pages-consumer-mif
Jul 2, 2026
Merged

docs(auth): add ontologies/MIF to the pages app's consumers#44
zircote merged 2 commits into
mainfrom
feat/pages-consumer-mif

Conversation

@zircote

@zircote zircote commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Part of implementing ADR-0004 (ontologies repo)/ADR-019 (MIF repo): build-time attested ontology vendoring, closing ontologies#6.

ontologies' release.yml gains a notify-mif job that fires a repository_dispatch to MIF after a successful, tag-triggered release, minting a token via the existing pages App. MIF's deploy.yml gains the matching repository_dispatch receiver, wired to fetch and gh attestation verify that release before vendoring it into the served mif-spec.dev/ontologies/* surface, minting a token via the ci App for that read-only cross-repo call.

Merge-order dependency: as of this repo's main, neither companion workflow exists yet on its own repo's default branch. The notify-mif job lives on the still-open ontologies#25, and the ci-App consumption lives on the still-open MIF#203. This PR's manifest change is safe to merge on its own (it only adds consumer entries and a permission; nothing currently calls it), but the described cross-repo flow stays inert until all three PRs land. Recommend merging this one first or alongside the other two, not waiting on it as a blocker for them.

Changes

  • auth/apps.json:
    • Added ontologies/.github/workflows/release.yml to the pages App's consumers list (mints the token that fires the dispatch to MIF).
    • Added attestations: read to the ci App's permissions and MIF/.github/workflows/deploy.yml to its consumers list (mints the token MIF's deploy uses to fetch and verify the ontologies release tarball, a read-only cross-repo need that matches the ci App's existing "reads org/sibling state the default GITHUB_TOKEN cannot" purpose more precisely than pages would).

Test plan

  • Ran this manifest's own validation logic (app-manifest-validate.yml's jq checks) locally against the updated file: PASS — 5 apps verified.
  • Confirmed valid JSON and that every consumer path matches the required <repo>/.github/workflows/<file>.yml pattern.
  • Independent review (arbiter, --effort max) found 0 must-fix issues in the manifest change itself; the one should-fix (this merge-order note) is addressed above.

Part of implementing ADR-0004 (ontologies)/ADR-019 (MIF): build-time
attested ontology vendoring. ontologies' release.yml gains a notify-mif job
that fires a repository_dispatch to MIF on release; MIF's deploy.yml gains
the matching receiver, wired to fetch/verify/vendor the release. Both mint
tokens via the existing, already-installed pages App, following the same
pattern research-harness-template/docs.yml already uses to notify the org
Pages site.
Copilot AI review requested due to automatic review settings July 1, 2026 23:13

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the GitHub App auth manifest to allow the existing pages App token to be minted by additional workflows involved in cross-repo Pages deploy/notify and the new ontology vendoring/dispatch flow described in the PR.

Changes:

  • Adds ontologies/.github/workflows/release.yml as an allowed pages App consumer (sender workflow).
  • Adds MIF/.github/workflows/deploy.yml as an allowed pages App consumer (receiver workflow).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

MIF's deploy.yml never mints a pages-app token (it only receives a
repository_dispatch, no auth needed for that); the earlier addition of
MIF/.github/workflows/deploy.yml to pages' consumers was a mistake. The
real cross-repo need is read-only: fetching and gh attestation verify-ing
the ontologies repo's signed release tarball at deploy time (ADR-019). That
matches the ci app's existing stated purpose almost exactly ("reads
org/sibling state the default GITHUB_TOKEN cannot"), so it gets
attestations:read added and becomes MIF/deploy.yml's consumer instead.
@zircote zircote merged commit e50b004 into main Jul 2, 2026
7 checks passed
@zircote zircote deleted the feat/pages-consumer-mif branch July 2, 2026 00:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants