You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
test+hardening: zero-dep bash test suite, strict lint, PAT docs
- tests/: unit (validation/injection guards) + e2e (merge/no-op/dry-run/reset/rebase/token-masking)
running the real script against throwaway local git repos
- fix: rebase mode rewrites history -> force-push (lease) like reset (caught by tests)
- scripts/sync.sh now passes shellcheck --enable=all --severity=style
- CI runs shellcheck (strict) + actionlint + the test suite
- docs/github-pat-setup.md: click-by-click least-privilege fine-grained PAT guide
- README: dev/test section, sync-mode + token doc links
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: README.md
+23-7Lines changed: 23 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -102,11 +102,12 @@ jobs:
102
102
| Mode | What it does | When to use |
103
103
|------|--------------|-------------|
104
104
| `merge` *(default)* | Merges `upstream/<branch>` into your target, creating a merge commit when histories diverge. | You keep your own commits on the fork and want upstream changes merged in. |
105
-
| `rebase` | Replays your target's commits on top of upstream. | You keep a small, linear set of changes on top of upstream. |
105
+
| `rebase` | Replays your target's commits on top of upstream, then force-pushes (`--force-with-lease`). | You keep a small, linear set of changes on top of upstream. |
106
106
| `reset` | Hard-resets the target to **exactly** match upstream, then force-pushes (`--force-with-lease`). | An "untouched" mirror fork — discard any divergence and track upstream verbatim. |
107
107
108
-
> `reset` rewrites your branch history and force-pushes. Only use it on a branch
109
-
> you keep pristine for upstream tracking.
108
+
> Both `rebase` and `reset` rewrite the target branch's history and therefore
109
+
> force-push (lease-guarded). Only use them on a branch you keep for upstream
110
+
> tracking, not one others push to. `merge` never force-pushes.
110
111
111
112
## Recipe: auto-deploy a customer's Cloudflare Worker from a fork
112
113
@@ -116,10 +117,11 @@ The fork syncs itself (triggered instantly, or on a schedule) and Cloudflare
116
117
Workers Builds deploys on the resulting push.
117
118
118
119
See **[docs/cloudflare-fork-deploy.md](docs/cloudflare-fork-deploy.md)** for the
119
-
full two-sided setup, including least-privilege token scopes and the
120
-
`.github/workflows/`push caveat. Ready-to-copy workflows are in
121
-
[`examples/origin-repo`](examples/origin-repo) and
|**`FORK_DISPATCH_TOKEN`**| Always (instant-dispatch trigger) |**Customer**| The **upstream** repo's Actions secrets |**Actions: Read and write** on the fork |
18
+
|**`UPSTREAM_READ_TOKEN`**| Only if the upstream repo is **private**|**Divinci**| The **fork's** Actions secrets |**Contents: Read-only** on the upstream |
19
+
|**`FORK_PUSH_TOKEN`**| Only if the upstream changes files under `.github/workflows/`|**Customer**| The **fork's** Actions secrets |**Contents: Read and write** + **Workflows: Read and write** on the fork |
20
+
21
+
If you use the polling trigger instead of instant dispatch, you need **none**
22
+
of these for a *public* upstream — the fork's built-in `GITHUB_TOKEN` is enough.
23
+
24
+
---
25
+
26
+
## Step 1 — Generate a fine-grained PAT
27
+
28
+
The flow is identical for every token; only the **resource owner**,
29
+
**repository**, and **permission** differ (see Step 2).
30
+
31
+
1. Sign in as the account that should *own* the token (see the table — the
32
+
customer for `FORK_DISPATCH_TOKEN`, Divinci for `UPSTREAM_READ_TOKEN`).
33
+
2. Go to **GitHub → your avatar → Settings → Developer settings → Personal
0 commit comments