diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 88f66666..6c609b5e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -18,7 +18,7 @@ jobs: analyze: name: CodeQL analysis (${{ matrix.language }}) runs-on: ubuntu-latest - # Skip forked PRs where GITHUB_TOKEN lacks security-events permissions + # Skip forked PRs where CPMP_TOKEN lacks security-events permissions if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false permissions: contents: read diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 795f7a3b..4c11cf88 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -90,7 +90,7 @@ jobs: with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.PROJECT_TOKEN }} + password: ${{ secrets.CPMP_TOKEN }} - name: Extract metadata (tags, labels) if: steps.skip.outputs.skip_build != 'true' @@ -162,7 +162,7 @@ jobs: uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f # v3.26.13 with: sarif_file: 'trivy-results.sarif' - token: ${{ secrets.CPMP_GHPR_TOKEN }} + token: ${{ secrets.CPMP_TOKEN }} - name: Create summary if: steps.skip.outputs.skip_build != 'true' @@ -207,7 +207,7 @@ jobs: with: registry: ghcr.io username: ${{ github.actor }} - password: ${{ secrets.PROJECT_TOKEN }} + password: ${{ secrets.CPMP_TOKEN }} - name: Pull Docker image run: docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }} diff --git a/.github/workflows/propagate-changes.yml b/.github/workflows/propagate-changes.yml index 4b9dbbb3..d7238ba8 100644 --- a/.github/workflows/propagate-changes.yml +++ b/.github/workflows/propagate-changes.yml @@ -103,4 +103,4 @@ jobs: } } env: - GITHUB_TOKEN: ${{ secrets.PROJECT_TOKEN }} + CPMP_TOKEN: ${{ secrets.CPMP_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d395f246..74c957ef 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -125,7 +125,7 @@ jobs: artifacts/caddy-linux-arm64/caddy-linux-arm64 generate_release_notes: true prerelease: ${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') || contains(github.ref_name, 'rc') }} - token: ${{ secrets.PROJECT_TOKEN }} + token: ${{ secrets.CPMP_TOKEN }} build-and-publish: needs: create-release diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 67e5cc6f..1598308b 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -22,6 +22,6 @@ jobs: uses: renovatebot/github-action@c91a61c730fa166439cd3e2c300c041590002b1d # v44.0.3 with: configurationFile: .github/renovate.json - token: ${{ secrets.PROJECT_TOKEN }} + token: ${{ secrets.CPMP_TOKEN }} env: LOG_LEVEL: info diff --git a/.github/workflows/renovate_prune.yml b/.github/workflows/renovate_prune.yml index 0c7762ea..f7005a05 100644 --- a/.github/workflows/renovate_prune.yml +++ b/.github/workflows/renovate_prune.yml @@ -25,7 +25,7 @@ jobs: - name: Prune renovate branches uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: - github-token: ${{ secrets.PROJECT_TOKEN }} + github-token: ${{ secrets.CPMP_TOKEN }} script: | const owner = context.repo.owner; const repo = context.repo.repo; diff --git a/GHCR_MIGRATION_SUMMARY.md b/GHCR_MIGRATION_SUMMARY.md index 392b78e5..f84e37d5 100644 --- a/GHCR_MIGRATION_SUMMARY.md +++ b/GHCR_MIGRATION_SUMMARY.md @@ -14,7 +14,7 @@ Updated all workflows and documentation to use GitHub Container Registry (GHCR) ### Benefits of GHCR: ✅ **No extra accounts needed** - Uses your GitHub account -✅ **Automatic authentication** - Uses built-in `GITHUB_TOKEN` +✅ **Automatic authentication** - Uses built-in `CPMP_TOKEN` ✅ **Free for public repos** - No Docker Hub rate limits ✅ **Integrated with repo** - Packages show up on your GitHub profile ✅ **Better security** - No need to store Docker Hub credentials @@ -24,7 +24,7 @@ Updated all workflows and documentation to use GitHub Container Registry (GHCR) #### 1. `.github/workflows/docker-build.yml` - Changed registry from `docker.io` to `ghcr.io` - Updated image name to use `${{ github.repository }}` (automatically resolves to `wikid82/caddyproxymanagerplus`) -- Changed login action to use GitHub Container Registry with `GITHUB_TOKEN` +- Changed login action to use GitHub Container Registry with `CPMP_TOKEN` - Updated all image references throughout workflow - Updated summary outputs to show GHCR URLs @@ -55,7 +55,7 @@ env: with: registry: ghcr.io username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + password: ${{ secrets.CPMP_TOKEN }} ``` #### 2. `docs/github-setup.md` diff --git a/PROJECT_BOARD_SETUP.md b/PROJECT_BOARD_SETUP.md index 289a03e3..40ebac58 100644 --- a/PROJECT_BOARD_SETUP.md +++ b/PROJECT_BOARD_SETUP.md @@ -198,7 +198,7 @@ gh issue create \ The GitHub Actions workflows require these permissions: - ✅ **`issues: write`** - To add labels (already included) -- ✅ **`GITHUB_TOKEN`** - Automatically provided (already configured) +- ✅ **`CPMP_TOKEN`** - Automatically provided (already configured) - ⚠️ **Project Board Access** - Ensure Actions can access projects ### To verify project access: diff --git a/docs/beta_release_draft_pr.md b/docs/beta_release_draft_pr.md index 0ce5729e..549536ca 100644 --- a/docs/beta_release_draft_pr.md +++ b/docs/beta_release_draft_pr.md @@ -5,7 +5,7 @@ This draft PR merges recent beta preparation changes from `feature/beta-release` ## Changes Included 1. Workflow Token Updates - - Replaced deprecated `GITHUB_TOKEN` usage with `PROJECT_TOKEN` per new GitHub token naming restrictions. + - Replaced deprecated `CPMP_TOKEN` usage with `CPMP_TOKEN` per new GitHub token naming restrictions. - Ensured consistent secret reference across `release.yml` and `renovate_prune.yml`. 2. Release Workflow Adjustments - Fixed environment variable configuration for release publication. @@ -16,9 +16,9 @@ This draft PR merges recent beta preparation changes from `feature/beta-release` - (Previously merged) Improvements to locate and package the `dlv` binary reliably in multi-arch builds. ## Commits Ahead of `feature/alpha-completion` -- 6c8ba7b fix: replace GITHUB_TOKEN with PROJECT_TOKEN in workflows -- de1160a fix: revert to PROJECT_TOKEN -- 7aee12b fix: use GITHUB_TOKEN in release workflow +- 6c8ba7b fix: replace CPMP_TOKEN with CPMP_TOKEN in workflows +- de1160a fix: revert to CPMP_TOKEN +- 7aee12b fix: use CPMP_TOKEN in release workflow - 0449681 docs: add beta-release draft PR summary - fc08514 docs: update beta-release draft PR summary with new commit - 18c3621 docs: update beta-release draft PR summary with second update @@ -61,7 +61,7 @@ This draft PR merges recent beta preparation changes from `feature/beta-release` ## Request Marking this as a DRAFT to allow review of token changes before merge. Please: -- Confirm `PROJECT_TOKEN` exists in repo secrets. +- Confirm `CPMP_TOKEN` exists in repo secrets. - Review for any missed workflow references. --- diff --git a/docs/beta_release_draft_pr_body_snapshot.md b/docs/beta_release_draft_pr_body_snapshot.md index 8af3819f..96a04a89 100644 --- a/docs/beta_release_draft_pr_body_snapshot.md +++ b/docs/beta_release_draft_pr_body_snapshot.md @@ -4,7 +4,7 @@ This draft PR merges recent beta preparation changes from `feature/beta-release` into `feature/alpha-completion` to align the alpha integration branch with the latest CI, workflow, and release process improvements. ## Changes Included (Summary) -- Workflow token migration (`GITHUB_TOKEN` → `PROJECT_TOKEN`) across release and maintenance workflows. +- Workflow token migration (`CPMP_TOKEN` → `CPMP_TOKEN`) across release and maintenance workflows. - Stabilized release workflow prerelease detection and artifact publication. - Prior (already merged earlier) CI enhancements: pinned action versions, Docker multi-arch debug tooling reliability, dynamic `dlv` binary resolution. - Documentation updates enumerating each incremental workflow/token adjustment for auditability. @@ -16,7 +16,7 @@ This draft PR merges recent beta preparation changes from `feature/beta-release` Ensures alpha integration branch inherits hardened CI/release pipeline and updated secret naming policy before further alpha feature consolidation. ## Risk & Mitigation -- Secret Name Change: Requires `PROJECT_TOKEN` to exist. Mitigation: Verify secret presence before merge. +- Secret Name Change: Requires `CPMP_TOKEN` to exist. Mitigation: Verify secret presence before merge. - Workflow Fan-out: Reusable workflow path validated locally; CI run (draft) will confirm. ## Follow-ups (Out of Scope) @@ -30,9 +30,9 @@ Ensures alpha integration branch inherits hardened CI/release pipeline and updat - [ ] Draft PR CI run (pending after opening) ## Requested Review Focus -1. Confirm `PROJECT_TOKEN` availability. +1. Confirm `CPMP_TOKEN` availability. 2. Sanity-check release artifact matrix remains correct. -3. Spot any residual `GITHUB_TOKEN` references missed. +3. Spot any residual `CPMP_TOKEN` references missed. --- Generated draft to align branches; will convert to ready-for-review after validation. diff --git a/docs/beta_release_pr_body.md b/docs/beta_release_pr_body.md index 405468d2..5939dba6 100644 --- a/docs/beta_release_pr_body.md +++ b/docs/beta_release_pr_body.md @@ -4,7 +4,7 @@ Draft PR to merge hardened CI/release workflow changes from `feature/beta-release` into `feature/alpha-completion`. ## Highlights -- Secret token migration: all workflows now use `PROJECT_TOKEN` (GitHub blocks new secrets containing `GITHUB`). +- Secret token migration: all workflows now use `CPMP_TOKEN` (GitHub blocks new secrets containing `GITHUB`). - Release workflow refinements: stable prerelease detection (alpha/beta/rc), artifact matrix intact. - Prior infra hardening (already partially merged earlier): pinned GitHub Action SHAs/tags, resilient Delve (`dlv`) multi-arch build handling. - Extensive incremental documentation trail in `docs/beta_release_draft_pr.md` plus concise snapshot in `docs/beta_release_draft_pr_body_snapshot.md` for reviewers. @@ -13,8 +13,8 @@ Draft PR to merge hardened CI/release workflow changes from `feature/beta-releas Most recent snapshot commit: `308ae5dd` (final body content before PR). Full ordered list in `docs/beta_release_draft_pr.md`. ## Review Checklist -- Secret `PROJECT_TOKEN` exists and has required scopes. -- No lingering `GITHUB_TOKEN` references beyond allowed GitHub-provided contexts. +- Secret `CPMP_TOKEN` exists and has required scopes. +- No lingering `CPMP_TOKEN` references beyond allowed GitHub-provided contexts. - Artifact list (frontend dist, backend binaries, caddy binaries) still correct for release. ## Risks & Mitigations diff --git a/docs/github-setup.md b/docs/github-setup.md index 5d5d6624..b13f89db 100644 --- a/docs/github-setup.md +++ b/docs/github-setup.md @@ -10,7 +10,7 @@ The Docker build workflow uses GitHub Container Registry (GHCR) to store your im ### How It Works: -GitHub Actions automatically uses the built-in `GITHUB_TOKEN` which has permission to: +GitHub Actions automatically uses the built-in `CPMP_TOKEN` which has permission to: - ✅ Push images to `ghcr.io/wikid82/caddyproxymanagerplus` - ✅ Link images to your repository - ✅ Publish images for free (public repositories) @@ -157,12 +157,12 @@ When you're ready to release a new version: ### Docker Build Fails **Problem**: "Error: denied: requested access to the resource is denied" -- **Fix**: This shouldn't happen with `GITHUB_TOKEN` - check workflow permissions +- **Fix**: This shouldn't happen with `CPMP_TOKEN` - check workflow permissions - **Verify**: Settings → Actions → General → Workflow permissions → "Read and write permissions" enabled **Problem**: Can't pull the image - **Fix**: Make the package public (see Step 1 above) -- **Or**: Authenticate with GitHub: `echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin` +- **Or**: Authenticate with GitHub: `echo $CPMP_TOKEN | docker login ghcr.io -u USERNAME --password-stdin` ### Docs Don't Deploy