From 39f3cab6fdc449c17e50ef0a90d565596af10b84 Mon Sep 17 00:00:00 2001 From: Marcos Lozano Romero Date: Mon, 29 Jun 2026 11:27:18 +0200 Subject: [PATCH 1/2] chore(core): add private repo workflows --- .github/workflows/notify-private-repo.yml | 38 ++++++++++++++ .github/workflows/sync-from-public.yml | 43 ++++++++++++++++ .github/workflows/sync-to-public.yml | 61 +++++++++++++++++++++++ 3 files changed, 142 insertions(+) create mode 100644 .github/workflows/notify-private-repo.yml create mode 100644 .github/workflows/sync-from-public.yml create mode 100644 .github/workflows/sync-to-public.yml diff --git a/.github/workflows/notify-private-repo.yml b/.github/workflows/notify-private-repo.yml new file mode 100644 index 00000000..589d867e --- /dev/null +++ b/.github/workflows/notify-private-repo.yml @@ -0,0 +1,38 @@ +name: Notify Private Repo of Update + +env: + SDK_NAME: sinch-sdk-python + +on: + push: + +jobs: + ping-private: + if: | + github.actor != 'sinch-internal-repo-sync-app[bot]' && !endsWith(github.event.repository.name, 'internal') + + runs-on: ubuntu-latest + steps: + # 1. Generate a temporary token from the GitHub App + - name: Generate GitHub App Token + uses: actions/create-github-app-token@v3 + id: app-token + with: + client-id: ${{ vars.SINCH_INTERNAL_REPO_SYNC_APP_CLIENT_ID }} + private-key: ${{ secrets.SINCH_INTERNAL_REPO_SYNC_APP_PRIVATE_KEY }} + # Explicitly request access to the internal repository: + owner: ${{ github.repository_owner }} + repositories: ${{ env.SDK_NAME }}-internal + + # 2. Use that token to send the "ping" to the private repo + - name: Send Repository Dispatch to Private Repo + env: + SYNC_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + curl -X POST --fail-with-body \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${SYNC_TOKEN}" \ + -H "Accept: application/vnd.github.v3+json" \ + -H "X-GitHub-Api-Version: 2026-03-10" \ + https://api.github.com/repos/sinch/${SDK_NAME}-internal/dispatches \ + -d '{"event_type": "public_push_event"}' \ No newline at end of file diff --git a/.github/workflows/sync-from-public.yml b/.github/workflows/sync-from-public.yml new file mode 100644 index 00000000..95b0c304 --- /dev/null +++ b/.github/workflows/sync-from-public.yml @@ -0,0 +1,43 @@ +name: Sync From Public + +env: + SDK_NAME: sinch-sdk-python + +# Ensures only one sync runs at a time. Cancels any running sync when a new trigger arrives. +concurrency: + group: sync-repo-${{ github.repository }} + cancel-in-progress: true + +on: + schedule: + # Runs only once a day at midnight to catch any missed updates + - cron: '0 0 * * *' + repository_dispatch: + types: [public_push_event] # Keeps your instant trigger active + workflow_dispatch: # Allows manual run + +jobs: + sync-repo: + if: endsWith(github.event.repository.name, 'internal') + runs-on: ubuntu-latest + steps: + # 1. Generate a temporary installation token using the GitHub App + - name: Generate GitHub App Token + uses: actions/create-github-app-token@v3 + id: app-token + with: + client-id: ${{ vars.SINCH_INTERNAL_REPO_SYNC_APP_CLIENT_ID }} + private-key: ${{ secrets.SINCH_INTERNAL_REPO_SYNC_APP_PRIVATE_KEY }} + + # 2. Execute the sync using the short-lived token + - name: Sync Public to Private + env: + SYNC_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + # Clone the public repository as a bare repo (read-only, public) + git clone --bare https://github.com/sinch/$SDK_NAME.git public_repo + cd public_repo + + # Push all branches and tags to the private repo using the App Token + git push --all https://x-access-token:${SYNC_TOKEN}@github.com/sinch/${SDK_NAME}-internal.git + git push --tags https://x-access-token:${SYNC_TOKEN}@github.com/sinch/${SDK_NAME}-internal.git \ No newline at end of file diff --git a/.github/workflows/sync-to-public.yml b/.github/workflows/sync-to-public.yml new file mode 100644 index 00000000..f3fe222a --- /dev/null +++ b/.github/workflows/sync-to-public.yml @@ -0,0 +1,61 @@ +name: Sync Merged Changes to Public Repo + +# Trigger this workflow whenever a Pull Request is merged into the internal repo. +# A merge closes the PR and updates the base branch, so we can sync that branch to the public repository. +on: + pull_request: + types: [closed] + +env: + SDK_NAME: sinch-sdk-python # Adjust dynamically if needed + PUBLIC_REPO_OWNER: sinch + +# Ensure we don't have multiple syncs trying to push at the exact same time +concurrency: + group: sync-to-public-${{ github.repository }}-${{ github.event.pull_request.base.ref }} + cancel-in-progress: true + +jobs: + sync-to-public: + # Only sync when a PR is merged in the internal repo; skip merges performed by the sync app + if: | + github.event.pull_request.merged == true && + github.actor != 'sinch-internal-repo-sync-app[bot]' && + endsWith(github.event.repository.name, 'internal') + runs-on: ubuntu-latest + steps: + # 1. Resolve the target branch name + - name: Resolve Target Branch + run: echo "TARGET_BRANCH=${{ github.event.pull_request.base.ref }}" >> "$GITHUB_ENV" + + # 2. Checkout the internal repository (the source of truth) + - name: Checkout Internal Repository + uses: actions/checkout@v4 + with: + ref: ${{ env.TARGET_BRANCH }} + fetch-depth: 0 # We need full history to push correctly + persist-credentials: false # We'll use the App token for pushing, not the default GITHUB + + # 3. Generate a temporary token scoped to the PUBLIC repository + - name: Generate GitHub App Token for Public Repo + uses: actions/create-github-app-token@v3 + id: app-token + with: + client-id: ${{ vars.SINCH_INTERNAL_REPO_SYNC_APP_CLIENT_ID }} + private-key: ${{ secrets.SINCH_INTERNAL_REPO_SYNC_APP_PRIVATE_KEY }} + owner: ${{ env.PUBLIC_REPO_OWNER }} + repositories: ${{ env.SDK_NAME }} + + # 4. Push the updated branch to the public repository + - name: Push to Public Repository + env: + SYNC_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + echo "Syncing branch $TARGET_BRANCH to public repository..." + + # Add the public repository as a remote using the App token + git remote add public "https://x-access-token:${SYNC_TOKEN}@github.com/${PUBLIC_REPO_OWNER}/${SDK_NAME}.git" + + # Push the specific branch that was just updated + # We do NOT force push (-f) by default to prevent accidentally wiping out public history if things get out of sync. + git push public HEAD:refs/heads/$TARGET_BRANCH \ No newline at end of file From ea05a48530703f596996c802f6ed03437b6d8ab9 Mon Sep 17 00:00:00 2001 From: Marcos Lozano Romero Date: Mon, 29 Jun 2026 12:19:57 +0200 Subject: [PATCH 2/2] change to re deploy --- .github/workflows/sync-to-public.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-to-public.yml b/.github/workflows/sync-to-public.yml index f3fe222a..1177fc2f 100644 --- a/.github/workflows/sync-to-public.yml +++ b/.github/workflows/sync-to-public.yml @@ -1,7 +1,7 @@ name: Sync Merged Changes to Public Repo # Trigger this workflow whenever a Pull Request is merged into the internal repo. -# A merge closes the PR and updates the base branch, so we can sync that branch to the public repository. +# A merge closes the PR and updates the base branch, so we can sync that branch to the public repository on: pull_request: types: [closed]