docs(auth): add ontologies/MIF to the pages app's consumers#44
Merged
Conversation
Part of implementing ADR-0004 (ontologies)/ADR-019 (MIF): build-time attested ontology vendoring. ontologies' release.yml gains a notify-mif job that fires a repository_dispatch to MIF on release; MIF's deploy.yml gains the matching receiver, wired to fetch/verify/vendor the release. Both mint tokens via the existing, already-installed pages App, following the same pattern research-harness-template/docs.yml already uses to notify the org Pages site.
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the GitHub App auth manifest to allow the existing pages App token to be minted by additional workflows involved in cross-repo Pages deploy/notify and the new ontology vendoring/dispatch flow described in the PR.
Changes:
- Adds
ontologies/.github/workflows/release.ymlas an allowedpagesApp consumer (sender workflow). - Adds
MIF/.github/workflows/deploy.ymlas an allowedpagesApp consumer (receiver workflow).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
MIF's deploy.yml never mints a pages-app token (it only receives a
repository_dispatch, no auth needed for that); the earlier addition of
MIF/.github/workflows/deploy.yml to pages' consumers was a mistake. The
real cross-repo need is read-only: fetching and gh attestation verify-ing
the ontologies repo's signed release tarball at deploy time (ADR-019). That
matches the ci app's existing stated purpose almost exactly ("reads
org/sibling state the default GITHUB_TOKEN cannot"), so it gets
attestations:read added and becomes MIF/deploy.yml's consumer instead.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Part of implementing ADR-0004 (
ontologiesrepo)/ADR-019 (MIFrepo): build-time attested ontology vendoring, closingontologies#6.ontologies'release.ymlgains anotify-mifjob that fires arepository_dispatchtoMIFafter a successful, tag-triggered release, minting a token via the existingpagesApp.MIF'sdeploy.ymlgains the matchingrepository_dispatchreceiver, wired to fetch andgh attestation verifythat release before vendoring it into the servedmif-spec.dev/ontologies/*surface, minting a token via theciApp for that read-only cross-repo call.Merge-order dependency: as of this repo's
main, neither companion workflow exists yet on its own repo's default branch. Thenotify-mifjob lives on the still-openontologies#25, and theci-App consumption lives on the still-openMIF#203. This PR's manifest change is safe to merge on its own (it only adds consumer entries and a permission; nothing currently calls it), but the described cross-repo flow stays inert until all three PRs land. Recommend merging this one first or alongside the other two, not waiting on it as a blocker for them.Changes
auth/apps.json:ontologies/.github/workflows/release.ymlto thepagesApp'sconsumerslist (mints the token that fires the dispatch to MIF).attestations: readto theciApp's permissions andMIF/.github/workflows/deploy.ymlto itsconsumerslist (mints the token MIF's deploy uses to fetch and verify theontologiesrelease tarball, a read-only cross-repo need that matches theciApp's existing "reads org/sibling state the defaultGITHUB_TOKENcannot" purpose more precisely thanpageswould).Test plan
app-manifest-validate.yml's jq checks) locally against the updated file:PASS — 5 apps verified.<repo>/.github/workflows/<file>.ymlpattern.--effort max) found 0 must-fix issues in the manifest change itself; the one should-fix (this merge-order note) is addressed above.