From 899726a9791682c478ec32d0cbe2732cba9bd75f Mon Sep 17 00:00:00 2001 From: Andy Bonventre Date: Wed, 15 Jul 2026 08:46:16 -0400 Subject: [PATCH 1/3] ci: notify majorcontext.com when docs change on main --- .github/workflows/notify-site.yml | 40 +++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/workflows/notify-site.yml diff --git a/.github/workflows/notify-site.yml b/.github/workflows/notify-site.yml new file mode 100644 index 0000000..3e52049 --- /dev/null +++ b/.github/workflows/notify-site.yml @@ -0,0 +1,40 @@ +# Notifies majorcontext.com to rebuild immediately when gatekeeper docs +# change on main, instead of waiting for the site's daily 09:17 UTC cron. +# +# Requires a secret named SITE_DISPATCH_TOKEN: a fine-grained personal +# access token, owned by an account with write access to +# majorcontext/majorcontext.com, scoped to that single repository, with +# repository permission "Contents: Read and write" (this is what the +# repos/{owner}/{repo}/dispatches endpoint requires; "Metadata: Read-only" +# is auto-selected alongside it — no other permissions are needed). +# +# This job fails soft: if the secret is unset or the token has expired, +# it logs a notice and exits 0 rather than turning every docs push red. +# The site's daily cron already covers this case as a fallback. +name: Notify site of docs update + +on: + push: + branches: [main] + paths: + - docs/content/** + - docs/README.md + +jobs: + dispatch: + runs-on: ubuntu-latest + steps: + - name: Send repository_dispatch to majorcontext.com + env: + GH_TOKEN: ${{ secrets.SITE_DISPATCH_TOKEN }} + run: | + if [ -z "${GH_TOKEN}" ]; then + echo "::notice::SITE_DISPATCH_TOKEN is not set; skipping dispatch. The site's daily cron will pick up this change instead." + exit 0 + fi + + if ! gh api repos/majorcontext/majorcontext.com/dispatches \ + -f event_type=docs-updated; then + echo "::notice::Dispatch to majorcontext.com failed (token may be expired or missing permissions); skipping. The site's daily cron will pick up this change instead." + exit 0 + fi From 841b9d98861ebb573e71478e0fc33632bf44ac87 Mon Sep 17 00:00:00 2001 From: Andy Bonventre Date: Wed, 15 Jul 2026 09:23:28 -0400 Subject: [PATCH 2/3] ci: pin notify-site job to contents:read permissions --- .github/workflows/notify-site.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/notify-site.yml b/.github/workflows/notify-site.yml index 3e52049..34bbd39 100644 --- a/.github/workflows/notify-site.yml +++ b/.github/workflows/notify-site.yml @@ -23,6 +23,10 @@ on: jobs: dispatch: runs-on: ubuntu-latest + # This job uses SITE_DISPATCH_TOKEN, never GITHUB_TOKEN — pin the default + # token to read-only so its scope can't silently widen with org defaults. + permissions: + contents: read steps: - name: Send repository_dispatch to majorcontext.com env: From 9f33f42ad16edc05a81232a6dc2e32e33f5957bb Mon Sep 17 00:00:00 2001 From: Andy Bonventre Date: Wed, 15 Jul 2026 09:28:41 -0400 Subject: [PATCH 3/3] ci: grant notify-site job empty permissions (no checkout needed) --- .github/workflows/notify-site.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/notify-site.yml b/.github/workflows/notify-site.yml index 34bbd39..c586f37 100644 --- a/.github/workflows/notify-site.yml +++ b/.github/workflows/notify-site.yml @@ -23,10 +23,10 @@ on: jobs: dispatch: runs-on: ubuntu-latest - # This job uses SITE_DISPATCH_TOKEN, never GITHUB_TOKEN — pin the default - # token to read-only so its scope can't silently widen with org defaults. - permissions: - contents: read + # This job uses SITE_DISPATCH_TOKEN, never GITHUB_TOKEN, and never checks + # out the repo — grant the default token nothing so its scope can't + # silently widen with org defaults. + permissions: {} steps: - name: Send repository_dispatch to majorcontext.com env: