From 49e0d6324967faa52e1fe441c58e6c2bbd19b136 Mon Sep 17 00:00:00 2001
From: Fabrizio Ferri Benedetti <fabri.ferribenedetti@elastic.co>
Date: Fri, 24 Apr 2026 11:14:37 +0200
Subject: [PATCH 1/4] fix(codex/build): fetch ephemeral token for
 codex-link-index reads

docs-builder's cross-link fetcher clones elastic/codex-link-index to
resolve codex/internal cross-links at build time. The private repo
needs credentials, which this action did not fetch. As a result any
consumer declaring a codex cross-link would fail with:

  fatal: could not read Username for 'https://github.com':
  No such device or address

Mirror the token-fetch pattern used by codex/update-link-index, but
targeting the shared read policy `token-policy-pull-codex-repositories`
(registered via catalog-info for each consumer) and exporting the token
as GITHUB_TOKEN so docs-builder's GitLinkIndexReader picks it up.

Surfaced via elastic/platform-capacity-team#1328, the first PR in that
repo to introduce a cross-link.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 codex/build/action.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/codex/build/action.yml b/codex/build/action.yml
index bb540fd..30641c9 100644
--- a/codex/build/action.yml
+++ b/codex/build/action.yml
@@ -40,11 +40,19 @@ runs:
         echo "PATH_PREFIX=${path_prefix}" >> $GITHUB_ENV
         echo "result=${path_prefix}" >> $GITHUB_OUTPUT
       shell: bash
+    - name: Fetch ephemeral GitHub token for codex-link-index read
+      id: fetch-ephemeral-token
+      uses: elastic/ci-gh-actions/fetch-github-token@v1
+      with:
+          vault-instance: "ci-prod"
+          vault-role: "token-policy-pull-codex-repositories"
+          skip-token-revoke: true
     - name: Build
       run: docs-builder --output ./.artifacts/docs/html --path-prefix ${{ env.PATH_PREFIX }}
       shell: bash
       env:
         PATH_PREFIX: ${{ env.PATH_PREFIX }}
+        GITHUB_TOKEN: ${{ steps.fetch-ephemeral-token.outputs.token }}
     - name: Upload docs
       uses: actions/upload-artifact@v7
       with:

From 739219d395d1582de412f979d5a611f71f3f727e Mon Sep 17 00:00:00 2001
From: Fabrizio Ferri Benedetti <fabri.ferribenedetti@elastic.co>
Date: Fri, 24 Apr 2026 11:18:12 +0200
Subject: [PATCH 2/4] Make codex-link-index token fetch non-fatal

The self-test workflow runs codex/build against a mock docset with no
cross-links and without id-token:write permission, so the Vault fetch
fails with "OIDC token endpoint not exposed". Real consumers that
don't declare codex cross-links would hit the same issue if their
workflow isn't configured for OIDC or registered in catalog-info.

Make the fetch step non-fatal so:
- no cross-links: build runs without a token, same as before this PR;
- missing policy: falls back to anonymous HTTPS, same as before;
- properly configured: token is obtained and the private clone works.
---
 codex/build/action.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/codex/build/action.yml b/codex/build/action.yml
index 30641c9..0a42195 100644
--- a/codex/build/action.yml
+++ b/codex/build/action.yml
@@ -40,9 +40,14 @@ runs:
         echo "PATH_PREFIX=${path_prefix}" >> $GITHUB_ENV
         echo "result=${path_prefix}" >> $GITHUB_OUTPUT
       shell: bash
+    # Fetch a token for reading elastic/codex-link-index (private). Non-fatal:
+    # callers without codex cross-links don't need it, and callers missing the
+    # policy registration (catalog-info) fall back to the same anonymous-HTTPS
+    # behavior that existed before this step was added.
     - name: Fetch ephemeral GitHub token for codex-link-index read
       id: fetch-ephemeral-token
       uses: elastic/ci-gh-actions/fetch-github-token@v1
+      continue-on-error: true
       with:
           vault-instance: "ci-prod"
           vault-role: "token-policy-pull-codex-repositories"

From cd3d5c558d8fc4644ce79a8398d576bf3cae7359 Mon Sep 17 00:00:00 2001
From: Fabrizio Ferri Benedetti <fabri.ferribenedetti@elastic.co>
Date: Fri, 24 Apr 2026 11:47:34 +0200
Subject: [PATCH 3/4] Use hash-derived vault role and grant id-token:write to
 build job

Per reviewer feedback, align codex/build with codex/update-link-index:
- derive the vault role name from the workflow ref hash instead of
  using the shared policy filename directly, matching the
  catalog-info registration pattern.
- grant id-token:write to the build job in codex-preview.yml so
  `elastic/ci-gh-actions/fetch-github-token` can obtain an OIDC JWT.
---
 .github/workflows/codex-preview.yml |  1 +
 codex/build/action.yml              | 10 +++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codex-preview.yml b/.github/workflows/codex-preview.yml
index b5f90cb..1c5eae8 100644
--- a/.github/workflows/codex-preview.yml
+++ b/.github/workflows/codex-preview.yml
@@ -61,6 +61,7 @@ jobs:
       path_prefix: ${{ steps.codex-build.outputs.path-prefix }}
     permissions:
       contents: read
+      id-token: write
     runs-on: ${{ needs.check.outputs.any_modified == 'true' && 'ubuntu-latest' || 'ubuntu-slim' }}
     steps:
       - name: Checkout code
diff --git a/codex/build/action.yml b/codex/build/action.yml
index 0a42195..b36bdea 100644
--- a/codex/build/action.yml
+++ b/codex/build/action.yml
@@ -40,6 +40,14 @@ runs:
         echo "PATH_PREFIX=${path_prefix}" >> $GITHUB_ENV
         echo "result=${path_prefix}" >> $GITHUB_OUTPUT
       shell: bash
+    - name: Generate vault role
+      id: generate-vault-role
+      shell: bash
+      run: |
+          workflow_ref=$(echo "${GITHUB_WORKFLOW_REF}" | awk -F'@' '{print $1}')
+          echo "${workflow_ref}"
+          hash=$(echo -n "${workflow_ref}" | sha256sum | awk '{print substr($1, 1, 12)}')
+          echo "result=token-policy-${hash}" >> "${GITHUB_OUTPUT}"
     # Fetch a token for reading elastic/codex-link-index (private). Non-fatal:
     # callers without codex cross-links don't need it, and callers missing the
     # policy registration (catalog-info) fall back to the same anonymous-HTTPS
@@ -50,7 +58,7 @@ runs:
       continue-on-error: true
       with:
           vault-instance: "ci-prod"
-          vault-role: "token-policy-pull-codex-repositories"
+          vault-role: "${{ steps.generate-vault-role.outputs.result }}"
           skip-token-revoke: true
     - name: Build
       run: docs-builder --output ./.artifacts/docs/html --path-prefix ${{ env.PATH_PREFIX }}

From 6ef45225389e25125927deff8ad09bf0bf72fb7e Mon Sep 17 00:00:00 2001
From: Fabrizio Ferri Benedetti <fabri.ferribenedetti@elastic.co>
Date: Fri, 24 Apr 2026 11:52:45 +0200
Subject: [PATCH 4/4] Drop redundant skip-token-revoke (default is already
 true)

---
 codex/build/action.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/codex/build/action.yml b/codex/build/action.yml
index b36bdea..5b166f3 100644
--- a/codex/build/action.yml
+++ b/codex/build/action.yml
@@ -59,7 +59,6 @@ runs:
       with:
           vault-instance: "ci-prod"
           vault-role: "${{ steps.generate-vault-role.outputs.result }}"
-          skip-token-revoke: true
     - name: Build
       run: docs-builder --output ./.artifacts/docs/html --path-prefix ${{ env.PATH_PREFIX }}
       shell: bash