From ff876fb532bf1cd268d85ac051f5662bf4350bf4 Mon Sep 17 00:00:00 2001 From: Jean-Pierre Portier Date: Tue, 26 May 2026 15:54:53 +0200 Subject: [PATCH 1/4] CI: support synch between public and private repo --- .github/workflows/notify-private-repo.yml | 34 ++++++++++++++++++ .github/workflows/sync-from-public.yml | 43 +++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 .github/workflows/notify-private-repo.yml create mode 100644 .github/workflows/sync-from-public.yml diff --git a/.github/workflows/notify-private-repo.yml b/.github/workflows/notify-private-repo.yml new file mode 100644 index 000000000..1dc3d96b2 --- /dev/null +++ b/.github/workflows/notify-private-repo.yml @@ -0,0 +1,34 @@ +name: Notify Private Repo of Update + +env: + SDK_NAME: sinch-sdk-java + +on: + push: + +jobs: + ping-private: + if: | + github.actor != 'sinch-internal-repo-sync-app[bot]' && !endsWith(github.event.repository.name, 'internal') + + runs-on: ubuntu-latest + steps: + # 1. Generate a temporary token from the GitHub App + - name: Generate GitHub App Token + uses: actions/create-github-app-token@v3 + id: app-token + with: + client-id: ${{ vars.SINCH_INTERNAL_REPO_SYNC_APP_CLIENT_ID }} + private-key: ${{ secrets.SINCH_INTERNAL_REPO_SYNC_APP_PRIVATE_KEY }} + + # 2. Use that token to send the "ping" to the private repo + - name: Send Repository Dispatch to Private Repo + env: + SYNC_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + curl -X POST --fail-with-body \ + -H "Content-Type: application/json" \ + -H "Authorization: token ${SYNC_TOKEN}" \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/repos/sinch/${SDK_NAME}-internal/dispatches \ + -d '{"event_type": "public_push_event"}' diff --git a/.github/workflows/sync-from-public.yml b/.github/workflows/sync-from-public.yml new file mode 100644 index 000000000..1d38e049d --- /dev/null +++ b/.github/workflows/sync-from-public.yml @@ -0,0 +1,43 @@ +name: Sync From Public + +env: + SDK_NAME: sinch-sdk-java + +# Ensures only one sync runs at a time. Cancels any running sync when a new trigger arrives. +concurrency: + group: sync-repo-${{ github.repository }} + cancel-in-progress: true + +on: + schedule: + # Runs only once a day at midnight to catch any missed updates + - cron: '0 0 * * *' + repository_dispatch: + types: [public_push_event] # Keeps your instant trigger active + workflow_dispatch: # Allows manual run + +jobs: + sync-repo: + if: endsWith(github.event.repository.name, 'internal') + runs-on: ubuntu-latest + steps: + # 1. Generate a temporary installation token using the GitHub App + - name: Generate GitHub App Token + uses: actions/create-github-app-token@v3 + id: app-token + with: + client-id: ${{ vars.SINCH_INTERNAL_REPO_SYNC_APP_CLIENT_ID }} + private-key: ${{ secrets.SINCH_INTERNAL_REPO_SYNC_APP_PRIVATE_KEY }} + + # 2. Execute the sync using the short-lived token + - name: Sync Public to Private + env: + SYNC_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + # Clone the public repository as a bare repo (read-only, public) + git clone --bare https://github.com/sinch/$SDK_NAME.git public_repo + cd public_repo + + # Push all branches and tags to the private repo using the App Token + git push --all https://x-access-token:${SYNC_TOKEN}@github.com/sinch/${SDK_NAME}-internal.git + git push --tags https://x-access-token:${SYNC_TOKEN}@github.com/sinch/${SDK_NAME}-internal.git \ No newline at end of file From f2762dca03b11651cacc23cfb9328fcc5f562802 Mon Sep 17 00:00:00 2001 From: Jean-Pierre Portier Date: Wed, 27 May 2026 18:18:42 +0200 Subject: [PATCH 2/4] CI: Use 'Bearer' token for notification --- .github/workflows/notify-private-repo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/notify-private-repo.yml b/.github/workflows/notify-private-repo.yml index 1dc3d96b2..2a6780040 100644 --- a/.github/workflows/notify-private-repo.yml +++ b/.github/workflows/notify-private-repo.yml @@ -28,7 +28,7 @@ jobs: run: | curl -X POST --fail-with-body \ -H "Content-Type: application/json" \ - -H "Authorization: token ${SYNC_TOKEN}" \ + -H "Authorization: Bearer ${SYNC_TOKEN}" \ -H "Accept: application/vnd.github.v3+json" \ https://api.github.com/repos/sinch/${SDK_NAME}-internal/dispatches \ -d '{"event_type": "public_push_event"}' From b2e7166b159c45b50902c9849bd99f1da49b9aae Mon Sep 17 00:00:00 2001 From: Jean-Pierre Portier Date: Wed, 27 May 2026 18:23:24 +0200 Subject: [PATCH 3/4] CI: Use dedicated github API version header --- .github/workflows/notify-private-repo.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/notify-private-repo.yml b/.github/workflows/notify-private-repo.yml index 2a6780040..e85c2bafa 100644 --- a/.github/workflows/notify-private-repo.yml +++ b/.github/workflows/notify-private-repo.yml @@ -30,5 +30,6 @@ jobs: -H "Content-Type: application/json" \ -H "Authorization: Bearer ${SYNC_TOKEN}" \ -H "Accept: application/vnd.github.v3+json" \ + -H "X-GitHub-Api-Version: 2026-03-10" \ https://api.github.com/repos/sinch/${SDK_NAME}-internal/dispatches \ -d '{"event_type": "public_push_event"}' From cb144b02f6c0c33244493193928341bc01449c4f Mon Sep 17 00:00:00 2001 From: Jean-Pierre Portier Date: Wed, 27 May 2026 18:29:32 +0200 Subject: [PATCH 4/4] CI: Request token to internal repo --- .github/workflows/notify-private-repo.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/notify-private-repo.yml b/.github/workflows/notify-private-repo.yml index e85c2bafa..58ca9f092 100644 --- a/.github/workflows/notify-private-repo.yml +++ b/.github/workflows/notify-private-repo.yml @@ -20,6 +20,9 @@ jobs: with: client-id: ${{ vars.SINCH_INTERNAL_REPO_SYNC_APP_CLIENT_ID }} private-key: ${{ secrets.SINCH_INTERNAL_REPO_SYNC_APP_PRIVATE_KEY }} + # Explicitly request access to the internal repository: + owner: ${{ github.repository_owner }} + repositories: ${{ env.SDK_NAME }}-internal # 2. Use that token to send the "ping" to the private repo - name: Send Repository Dispatch to Private Repo