Comparing trunk...niik/deploy · cli/cli · GitHub
Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: cli/cli
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: trunk
Choose a base ref
...
head repository: cli/cli
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: niik/deploy
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 10 commits
  • 3 files changed
  • 3 contributors

Commits on May 22, 2026

  1. Replace SITE_DEPLOY_PAT with gh-cli-site-deployer App 

    The release workflow currently checks out github/cli.github.com using
a personal access token (SITE_DEPLOY_PAT) owned by an individual
maintainer to push generated docs, the index.html version stamp, and
RPM/DEB package metadata.

Replace that with a short-lived installation token minted at runtime
from the new gh-cli-site-deployer GitHub App, owned by the github
org and installed only on github/cli.github.com with Contents:write
permission. The App's credentials live in the production environment
as SITE_DEPLOY_APP_CLIENT_ID and SITE_DEPLOY_APP_PRIVATE_KEY,
federated from the github-cli Vault.

The token mint step is guarded on inputs.environment == 'production'
because non-production environments don't have the App credentials
and don't push to the site anyway (the Publish site step is already
gated on DO_PUBLISH which requires production). github/cli.github.com
is public, so the checkout in non-production falls back to
GITHUB_TOKEN for anonymous read access, matching existing behavior.

Also update docs/release-process-deep-dive.md to reflect the new
flow.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    @williammartin
    williammartin and Copilot committed May 22, 2026
    Configuration menu
    Copy the full SHA
    7138ed3 View commit details
    Browse the repository at this point in the history

Commits on Jun 16, 2026

  1. Merge remote-tracking branch 'origin/wm-site-deploy-app' into niik/de… 

    …ploy
    @niik
    niik committed Jun 16, 2026
    Configuration menu
    Copy the full SHA
    da101bf View commit details
    Browse the repository at this point in the history

  2. Initial conversion to reusable workflow

    @niik
    niik committed Jun 16, 2026
    Configuration menu
    Copy the full SHA
    7d92f7d View commit details
    Browse the repository at this point in the history

  3. Update deployment.yml

    @niik
    niik committed Jun 16, 2026
    Configuration menu
    Copy the full SHA
    8f2ecd2 View commit details
    Browse the repository at this point in the history

Commits on Jun 17, 2026

  1. Mint a token from GitHub app

    @niik
    niik committed Jun 17, 2026
    Configuration menu
    Copy the full SHA
    9522f6e View commit details
    Browse the repository at this point in the history

  2. Use client-id input for create-github-app-token 

    Fix workflow inputs for actions/create-github-app-token by replacing the incorrect app-id key with client-id in multiple deploy job steps. This corrects the parameter name (four occurrences) so the Action receives the expected secret (DEPLOY_APP_ID) and can generate deployment tokens successfully. No other changes to the workflow or action version were made.
    @niik
    niik committed Jun 17, 2026
    Configuration menu
    Copy the full SHA
    9ac613a View commit details
    Browse the repository at this point in the history

  3. Rename DEPLOY_APP_ID secret to DEPLOY_APP_CLIENT_ID 

    Update .github/workflows/deployment.yml to rename the deploy secret from DEPLOY_APP_ID to DEPLOY_APP_CLIENT_ID and adjust all create-github-app-token steps to use the new secret (client-id: ${{ secrets.DEPLOY_APP_CLIENT_ID }}). This clarifies that the secret is the GitHub App Client ID used to generate deploy tokens and keeps the workflow consistent across multiple deploy-token job invocations.
    @niik
    niik committed Jun 17, 2026
    Configuration menu
    Copy the full SHA
    f8dec08 View commit details
    Browse the repository at this point in the history

  4. Update deployment.yml

    @niik
    niik committed Jun 17, 2026
    Configuration menu
    Copy the full SHA
    4f43068 View commit details
    Browse the repository at this point in the history

Commits on Jun 30, 2026

  1. Add 20-minute timeouts to deploy jobs 

    Set `timeout-minutes: 20` for the Linux, macOS, and Windows deployment jobs in the deployment workflow to prevent stalled runs from hanging indefinitely.
    @niik
    niik committed Jun 30, 2026
    Configuration menu
    Copy the full SHA
    f69cf0f View commit details
    Browse the repository at this point in the history

  2. Skip Windows code signing outside production deploys 

    Gate signing in sign.ps1 on a new DO_PUBLISH env var, set in the
deployment workflow to true only for production. This avoids attempting
code signing in non-production environments, consistent with the
existing DO_PUBLISH gating used elsewhere in the workflow.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    @niik
    niik and Copilot committed Jun 30, 2026
    Configuration menu
    Copy the full SHA
    83f9562 View commit details
    Browse the repository at this point in the history
Loading