A public CI broker. Private repos on GitHub draw Actions minutes from the org's paid pool; public repos get them for free and unlimited. This repo borrows its free minutes to build a private repo and publish it to Cloudflare Pages — the private code only ever exists on the ephemeral runner during the job and is never committed or exposed here.
Use it when a private repo can't deploy because the org's private-repo Actions minutes are exhausted.
Add three secrets to this repo (Settings → Secrets and variables → Actions), or with the CLI:
# 1. A fine-grained PAT with "Contents: read" on the private repos you want to deploy.
# Create at: https://github.com/settings/personal-access-tokens/new
# (Resource owner: AxeForging · Repository access: only the repos you'll build · Contents: Read-only)
gh secret set TARGET_REPO_TOKEN -R AxeForging/gh-agent # paste the PAT
# 2. Cloudflare Pages deploy credentials (same values the target repo's own deploy uses).
gh secret set CLOUDFLARE_API_TOKEN -R AxeForging/gh-agent # Cloudflare API token (Pages: Edit)
gh secret set CLOUDFLARE_ACCOUNT_ID -R AxeForging/gh-agent # Cloudflare account idSecrets in a public repo are encrypted and are not exposed by the repo being public — they are only decrypted inside a running workflow. Safety depends on the trigger being dispatch-only (below).
gh workflow run deploy.yml -R AxeForging/gh-agent \
-f repo=AxeForging/tools.axeforge \
-f ref=main \
-f project=axeforging-toolingInputs:
| Input | Required | Default | Meaning |
|---|---|---|---|
repo |
yes | — | Private repo to build, owner/name |
ref |
no | main |
Branch, tag, or SHA to build |
project |
yes | — | Cloudflare Pages project name |
pages_branch |
no | main |
Pages branch (main = production, else preview) |
output_dir |
no | dist |
Build output directory to publish |
The build is hardcoded to npm ci + npm run build (all AxeForge frontends match). To support a
different toolchain, add inputs and a matching step in .github/workflows/deploy.yml.
- Dispatch-only. The workflow has only a
workflow_dispatchtrigger, so only members with write access to this repo can run it. Never addpull_request/pull_request_target— that would let outside forks run with the secrets. - Least privilege. Scope
TARGET_REPO_TOKENto just the repos you deploy (fine-grained PAT, or swap it for a GitHub App installation token). The workflow's ownGITHUB_TOKENiscontents: read. - Trust the target. The job runs the target repo's
npm ci/npm run build, which execute with the job's environment — only point this at repos you own and trust. Cloudflare creds are scoped to the deploy step, not the build step, and the checkout PAT is not persisted to git config.