From 0300cec4bb76d2fa81572dacfee83753dfb7e913 Mon Sep 17 00:00:00 2001
From: Ethan Arrowood <ethan@arrowood.dev>
Date: Tue, 26 May 2026 14:02:37 -0600
Subject: [PATCH 1/3] feat: dispatch docs-updated to skills repo after deploy
 (Phase 2b)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a notify-skills job to the deploy workflow that fires a
repository_dispatch (event_type: docs-updated, with the docs commit
SHA) to HarperFast/skills after a successful Pages deploy. The skills
repo's generate.yaml workflow listens for this and regenerates its
docs-driven rules against the just-deployed content.

Requires a SKILLS_DISPATCH_TOKEN secret — a PAT or App token with
contents:write on HarperFast/skills (the default GITHUB_TOKEN is scoped
to this repo and cannot dispatch cross-repo). If the secret is absent
the step skips cleanly; the skills repo also runs a weekly safety-net
cron, so a missing token degrades to "synced weekly" rather than
breaking the deploy.

Companion to the generate.yaml workflow in HarperFast/skills. See the
docs-driven-skills plan in that repo.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy.yaml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 88148f78..1a9ed652 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -119,3 +119,32 @@ jobs:
       - name: Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@v4
+
+  # Notify the skills repo that docs changed, so it can regenerate its
+  # docs-driven rules against the just-deployed content. See the
+  # generate.yaml workflow in HarperFast/skills (Phase 2 of the
+  # docs-driven-skills plan). Requires SKILLS_DISPATCH_TOKEN — a PAT or
+  # App token with contents:write on HarperFast/skills (the default
+  # GITHUB_TOKEN is scoped to this repo only and cannot dispatch across
+  # repos). If the secret is absent, the step is skipped (the skills repo
+  # also runs a weekly safety-net cron).
+  notify-skills:
+    needs: deploy
+    name: Notify skills repo
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dispatch docs-updated to HarperFast/skills
+        # secrets can't be used in an `if:` expression, so guard inside the
+        # script: if the token is absent, skip cleanly (the skills repo's
+        # weekly cron is the safety net).
+        env:
+          GH_TOKEN: ${{ secrets.SKILLS_DISPATCH_TOKEN }}
+        run: |
+          if [ -z "$GH_TOKEN" ]; then
+            echo "SKILLS_DISPATCH_TOKEN not set — skipping dispatch (skills repo cron will pick up docs changes)."
+            exit 0
+          fi
+          gh api repos/HarperFast/skills/dispatches \
+            -f event_type=docs-updated \
+            -F client_payload[sha]=${{ github.sha }}
+

From d575b3ddccdcec3e60236442af03d98c2480a50d Mon Sep 17 00:00:00 2001
From: Ethan Arrowood <ethan@arrowood.dev>
Date: Tue, 26 May 2026 14:28:15 -0600
Subject: [PATCH 2/3] =?UTF-8?q?feat:=20authenticate=20docs=E2=86=92skills?=
 =?UTF-8?q?=20dispatch=20via=20GitHub=20App=20token?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replaces the SKILLS_DISPATCH_TOKEN PAT with the org-owned
harper-skills-sync GitHub App. The notify-skills job mints a short-lived
token scoped to HarperFast/skills via actions/create-github-app-token
(pinned to v3.2.0, owner+repositories scoping) using the
SKILLS_SYNC_APP_ID / SKILLS_SYNC_APP_PRIVATE_KEY secrets, then fires the
repository_dispatch.

The App must be installed on the skills repo; this repo only holds the
App credentials. Same App as the skills-side generate.yaml workflow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy.yaml | 31 ++++++++++++++++++-------------
 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 1a9ed652..83deb678 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -123,27 +123,32 @@ jobs:
   # Notify the skills repo that docs changed, so it can regenerate its
   # docs-driven rules against the just-deployed content. See the
   # generate.yaml workflow in HarperFast/skills (Phase 2 of the
-  # docs-driven-skills plan). Requires SKILLS_DISPATCH_TOKEN — a PAT or
-  # App token with contents:write on HarperFast/skills (the default
-  # GITHUB_TOKEN is scoped to this repo only and cannot dispatch across
-  # repos). If the secret is absent, the step is skipped (the skills repo
-  # also runs a weekly safety-net cron).
+  # docs-driven-skills plan).
+  #
+  # Authenticates as the org-owned "harper-skills-sync" GitHub App, minting
+  # a token scoped to HarperFast/skills (the default GITHUB_TOKEN is scoped
+  # to this repo only and cannot dispatch cross-repo). The App must be
+  # installed on the skills repo; this repo holds its SKILLS_SYNC_APP_ID /
+  # SKILLS_SYNC_APP_PRIVATE_KEY secrets. If the App is ever removed, the
+  # skills repo's weekly cron is the safety net.
   notify-skills:
     needs: deploy
     name: Notify skills repo
     runs-on: ubuntu-latest
     steps:
+      - name: Mint app token for skills
+        id: app-token
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        with:
+          app-id: ${{ secrets.SKILLS_SYNC_APP_ID }}
+          private-key: ${{ secrets.SKILLS_SYNC_APP_PRIVATE_KEY }}
+          owner: HarperFast
+          repositories: skills
+
       - name: Dispatch docs-updated to HarperFast/skills
-        # secrets can't be used in an `if:` expression, so guard inside the
-        # script: if the token is absent, skip cleanly (the skills repo's
-        # weekly cron is the safety net).
         env:
-          GH_TOKEN: ${{ secrets.SKILLS_DISPATCH_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
-          if [ -z "$GH_TOKEN" ]; then
-            echo "SKILLS_DISPATCH_TOKEN not set — skipping dispatch (skills repo cron will pick up docs changes)."
-            exit 0
-          fi
           gh api repos/HarperFast/skills/dispatches \
             -f event_type=docs-updated \
             -F client_payload[sha]=${{ github.sha }}

From b242ef27f21345bde8c310f701d1f96a5854e4e6 Mon Sep 17 00:00:00 2001
From: Ethan Arrowood <ethan@arrowood.dev>
Date: Tue, 26 May 2026 15:50:22 -0600
Subject: [PATCH 3/3] style: satisfy prettier on deploy.yaml (trailing newline)

Remove the trailing blank line introduced when adding the notify-skills
job, so `prettier --check` passes in CI.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 83deb678..ea930527 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -152,4 +152,3 @@ jobs:
           gh api repos/HarperFast/skills/dispatches \
             -f event_type=docs-updated \
             -F client_payload[sha]=${{ github.sha }}
-