From 812d1d0da02d82fabf69b448802ee035abbb4133 Mon Sep 17 00:00:00 2001 From: zircote Date: Wed, 1 Jul 2026 19:12:55 -0400 Subject: [PATCH 1/2] docs(auth): add ontologies/MIF to the pages app's consumers Part of implementing ADR-0004 (ontologies)/ADR-019 (MIF): build-time attested ontology vendoring. ontologies' release.yml gains a notify-mif job that fires a repository_dispatch to MIF on release; MIF's deploy.yml gains the matching receiver, wired to fetch/verify/vendor the release. Both mint tokens via the existing, already-installed pages App, following the same pattern research-harness-template/docs.yml already uses to notify the org Pages site. --- auth/apps.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/auth/apps.json b/auth/apps.json index 41f9274..591de2b 100644 --- a/auth/apps.json +++ b/auth/apps.json @@ -48,7 +48,9 @@ "install_on": "all", "consumers": [ "modeled-information-format.github.io/.github/workflows/deploy.yml", - "research-harness-template/.github/workflows/docs.yml" + "research-harness-template/.github/workflows/docs.yml", + "ontologies/.github/workflows/release.yml", + "MIF/.github/workflows/deploy.yml" ] }, "automerge": { From 6ff63fdc6be149757b7c9cf231bda1d0c3ab8a94 Mon Sep 17 00:00:00 2001 From: zircote Date: Wed, 1 Jul 2026 19:51:14 -0400 Subject: [PATCH 2/2] fix(auth): use ci app, not pages, for MIF's cross-repo attestation reads MIF's deploy.yml never mints a pages-app token (it only receives a repository_dispatch, no auth needed for that); the earlier addition of MIF/.github/workflows/deploy.yml to pages' consumers was a mistake. The real cross-repo need is read-only: fetching and gh attestation verify-ing the ontologies repo's signed release tarball at deploy time (ADR-019). That matches the ci app's existing stated purpose almost exactly ("reads org/sibling state the default GITHUB_TOKEN cannot"), so it gets attestations:read added and becomes MIF/deploy.yml's consumer instead. --- auth/apps.json | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/auth/apps.json b/auth/apps.json index 591de2b..3cfe02f 100644 --- a/auth/apps.json +++ b/auth/apps.json @@ -6,7 +6,7 @@ "identifier": "client-id", "apps": { "ci": { - "purpose": "General CI cross-repo identity. Reads org/sibling state the default GITHUB_TOKEN cannot — primary consumer is OpenSSF Scorecard reading branch protection (administration:read) so posture scores from real settings.", + "purpose": "General CI cross-repo identity. Reads org/sibling state the default GITHUB_TOKEN cannot — primary consumer is OpenSSF Scorecard reading branch protection (administration:read) so posture scores from real settings. Also mints the read-only cross-repo identity MIF's deploy uses to fetch and attestation-verify the ontologies repo's signed release tarball (ADR-019).", "id_variable": "CI_CLIENT_APP_ID", "key_secret": "CI_CLIENT_APP_PRIVATE_KEY", "permissions": { @@ -15,11 +15,13 @@ "pull_requests": "read", "issues": "read", "actions": "read", - "checks": "read" + "checks": "read", + "attestations": "read" }, "install_on": "all", "consumers": [ - ".github/.github/workflows/reusable-scorecard.yml" + ".github/.github/workflows/reusable-scorecard.yml", + "MIF/.github/workflows/deploy.yml" ] }, "catalog": { @@ -49,8 +51,7 @@ "consumers": [ "modeled-information-format.github.io/.github/workflows/deploy.yml", "research-harness-template/.github/workflows/docs.yml", - "ontologies/.github/workflows/release.yml", - "MIF/.github/workflows/deploy.yml" + "ontologies/.github/workflows/release.yml" ] }, "automerge": {