chore: centralize secure authenticated git push

Author: paulbalandan

.github/scripts/deploy-appstarter

@@ -32,4 +32,4 @@ cp -Rf ${SOURCE}/admin/starter/. ./
 # Commit the changes
 git add .
 git commit -m "Release ${RELEASE}"
-git push
+bash ${SOURCE}/.github/scripts/secure-git-push https://github.com/codeigniter4/appstarter.git HEAD:master

.github/scripts/deploy-framework

@@ -34,4 +34,4 @@ cp -Rf ${SOURCE}/admin/starter/tests/. ./tests/
 # Commit the changes
 git add .
 git commit -m "Release ${RELEASE}"
-git push
+bash ${SOURCE}/.github/scripts/secure-git-push https://github.com/codeigniter4/framework.git HEAD:master

.github/scripts/deploy-userguide

@@ -58,4 +58,4 @@ touch ${TARGET}/docs/.nojekyll
 # Commit the changes
 git add .
 git commit -m "Release ${RELEASE}"
-git push
+bash ${SOURCE}/.github/scripts/secure-git-push https://github.com/codeigniter4/userguide.git HEAD:master

.github/scripts/secure-git-push

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ $# -ne 2 ]]; then
+    echo "Usage: secure-git-push <remote-url> <refspec>" >&2
+    exit 1
+fi
+
+if [[ -z "${PUSH_TOKEN:-}" ]]; then
+    echo "PUSH_TOKEN is required" >&2
+    exit 1
+fi
+
+REMOTE_URL="$1"
+REFSPEC="$2"
+AUTH_HEADER="$(printf 'x-access-token:%s' "${PUSH_TOKEN}" | base64 | tr -d '\n')"
+
+echo "::add-mask::${AUTH_HEADER}"
+git -c http.https://github.com/.extraheader="AUTHORIZATION: basic ${AUTH_HEADER}" push "${REMOTE_URL}" "${REFSPEC}"
+
+unset AUTH_HEADER PUSH_TOKEN

.github/workflows/deploy-apidocs.yml

@@ -68,9 +68,11 @@ jobs:
 
       - name: Deploy to API repo
         working-directory: api
+        env:
+          PUSH_TOKEN: ${{ secrets.ACCESS_TOKEN }}
         run: |
           git add .
           if ! git diff-index --quiet HEAD; then
             git commit -m "Updated API for commit ${GITHUB_SHA}"
-            git push origin master
+            bash ${GITHUB_WORKSPACE}/.github/scripts/secure-git-push https://github.com/codeigniter4/api.git HEAD:master
           fi

.github/workflows/deploy-distributables.yml

@@ -67,6 +67,8 @@ jobs:
         run: chmod +x ./source/.github/scripts/deploy-framework
 
       - name: Deploy
+        env:
+          PUSH_TOKEN: ${{ secrets.ACCESS_TOKEN }}
         run: ./source/.github/scripts/deploy-framework ${GITHUB_WORKSPACE}/source ${GITHUB_WORKSPACE}/framework ${GITHUB_REF##*/}
 
       - name: Release
@@ -119,6 +121,8 @@ jobs:
         run: chmod +x ./source/.github/scripts/deploy-appstarter
 
       - name: Deploy
+        env:
+          PUSH_TOKEN: ${{ secrets.ACCESS_TOKEN }}
         run: ./source/.github/scripts/deploy-appstarter ${GITHUB_WORKSPACE}/source ${GITHUB_WORKSPACE}/appstarter ${GITHUB_REF##*/}
 
       - name: Release
@@ -181,6 +185,8 @@ jobs:
         run: chmod +x ./source/.github/scripts/deploy-userguide
 
       - name: Deploy
+        env:
+          PUSH_TOKEN: ${{ secrets.ACCESS_TOKEN }}
         run: ./source/.github/scripts/deploy-userguide ${GITHUB_WORKSPACE}/source ${GITHUB_WORKSPACE}/userguide ${GITHUB_REF##*/}
 
       - name: Release

.github/workflows/deploy-userguide-latest.yml

@@ -19,7 +19,7 @@ jobs:
   build:
     name: Deploy to gh-pages
     permissions:
-      # Allow ad-m/github-push-action to push commit to branch gh-pages
+      # Allow push to branch gh-pages
       contents: write
     if: (github.repository == 'codeigniter4/CodeIgniter4')
     runs-on: ubuntu-24.04
@@ -77,8 +77,7 @@ jobs:
           git commit -m "Update User Guide" -a || true
 
       - name: Push changes
-        uses: ad-m/github-push-action@v1.0.0
-        with:
-          branch: gh-pages
-          directory: gh-pages
-          github_token: ${{ secrets.ACCESS_TOKEN }}
+        working-directory: gh-pages
+        env:
+          PUSH_TOKEN: ${{ secrets.ACCESS_TOKEN }}
+        run: bash ${GITHUB_WORKSPACE}/.github/scripts/secure-git-push https://github.com/codeigniter4/CodeIgniter4.git HEAD:gh-pages