Skip to content

AxeForging/gh-agent

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

gh-agent

A public CI broker. Private repos on GitHub draw Actions minutes from the org's paid pool; public repos get them for free and unlimited. This repo borrows its free minutes to build a private repo and publish it to Cloudflare Pages — the private code only ever exists on the ephemeral runner during the job and is never committed or exposed here.

Use it when a private repo can't deploy because the org's private-repo Actions minutes are exhausted.

One-time setup

Add three secrets to this repo (Settings → Secrets and variables → Actions), or with the CLI:

# 1. A fine-grained PAT with "Contents: read" on the private repos you want to deploy.
#    Create at: https://github.com/settings/personal-access-tokens/new
#    (Resource owner: AxeForging · Repository access: only the repos you'll build · Contents: Read-only)
gh secret set TARGET_REPO_TOKEN     -R AxeForging/gh-agent   # paste the PAT

# 2. Cloudflare Pages deploy credentials (same values the target repo's own deploy uses).
gh secret set CLOUDFLARE_API_TOKEN  -R AxeForging/gh-agent   # Cloudflare API token (Pages: Edit)
gh secret set CLOUDFLARE_ACCOUNT_ID -R AxeForging/gh-agent   # Cloudflare account id

Secrets in a public repo are encrypted and are not exposed by the repo being public — they are only decrypted inside a running workflow. Safety depends on the trigger being dispatch-only (below).

Deploy a site

gh workflow run deploy.yml -R AxeForging/gh-agent \
  -f repo=AxeForging/tools.axeforge \
  -f ref=main \
  -f project=axeforging-tooling

Inputs:

Input Required Default Meaning
repo yes Private repo to build, owner/name
ref no main Branch, tag, or SHA to build
project yes Cloudflare Pages project name
pages_branch no main Pages branch (main = production, else preview)
output_dir no dist Build output directory to publish

The build is hardcoded to npm ci + npm run build (all AxeForge frontends match). To support a different toolchain, add inputs and a matching step in .github/workflows/deploy.yml.

Security model

  • Dispatch-only. The workflow has only a workflow_dispatch trigger, so only members with write access to this repo can run it. Never add pull_request / pull_request_target — that would let outside forks run with the secrets.
  • Least privilege. Scope TARGET_REPO_TOKEN to just the repos you deploy (fine-grained PAT, or swap it for a GitHub App installation token). The workflow's own GITHUB_TOKEN is contents: read.
  • Trust the target. The job runs the target repo's npm ci/npm run build, which execute with the job's environment — only point this at repos you own and trust. Cloudflare creds are scoped to the deploy step, not the build step, and the checkout PAT is not persisted to git config.

About

Public CI broker: builds & deploys private AxeForge repos on free public-repo Actions minutes. Dispatch-only.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors