From 3cb804afa816276388c170e194e1128f22defb33 Mon Sep 17 00:00:00 2001
From: Nigel Tatschner <n Tatschner@gmail.com>
Date: Thu, 28 May 2026 21:08:14 +0100
Subject: [PATCH] fix(auto-publish): compose URL from STARSTATS_API_URL instead
 of a separate secret
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR #128 introduced a `ROADMAP_PUBLISH_URL` env var holding the full
URL of the publish endpoint. Followed the same pattern as
`ROADMAP_EVENTS_URL`, but it was wrong here: STARSTATS_API_URL
already exists as a secret (set up for the earlier JWT-based admin
publish script in PR #113), and the publish endpoint is just
`${STARSTATS_API_URL}/v1/internal/roadmap/changelog/publish` — one
path, one composition rule, no second secret to provision.

Switch the script to compose from STARSTATS_API_URL, drop the
ROADMAP_PUBLISH_URL plumbing entirely. The release.yml job now
reads only `secrets.STARSTATS_API_URL` (already provisioned, set
to `https://api.starstats.app`), so the auto-publish path activates
on the next live release without any additional operator action.

Trailing-slash tolerance: `replace(/\/+$/, "")` on the base so
`https://api.starstats.app` and `https://api.starstats.app/` both
resolve identically.

Surfaced post-merge of #128: today's tray-v1.8.10 live release ran
the auto-publish job successfully but no-op'd with
`ROADMAP_PUBLISH_URL not set (pipeline not configured)`. After this
PR ramps + merges, the next live release exercises the HMAC path
for real with no secret-provisioning step in between.

Not harmonizing `ROADMAP_EVENTS_URL` in the same PR — that's a
separate refactor on a stable existing path, low value to bundle.
---
 .github/workflows/release.yml      |  5 ++++-
 scripts/auto-publish-changelog.mjs | 20 +++++++++++++-------
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a6f6525..6f5bce4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -640,5 +640,8 @@ jobs:
         CHANNEL: live
         # HMAC auth (reused from the emit job's secret).
         ROADMAP_CI_EVENT_HMAC_KEY: ${{ secrets.ROADMAP_CI_EVENT_HMAC_KEY }}
-        ROADMAP_PUBLISH_URL: ${{ secrets.ROADMAP_PUBLISH_URL }}
+        # API base URL — the publish endpoint path is appended by the
+        # script. Reuses the existing STARSTATS_API_URL secret rather
+        # than a separate per-endpoint URL secret.
+        STARSTATS_API_URL: ${{ secrets.STARSTATS_API_URL }}
       run: node scripts/auto-publish-changelog.mjs
diff --git a/scripts/auto-publish-changelog.mjs b/scripts/auto-publish-changelog.mjs
index 69f095d..83519c4 100644
--- a/scripts/auto-publish-changelog.mjs
+++ b/scripts/auto-publish-changelog.mjs
@@ -14,10 +14,13 @@
 // Required env vars:
 //   - ROADMAP_CI_EVENT_HMAC_KEY  Shared secret (raw bytes / UTF-8).
 //                                Same key as the emit endpoint.
-//   - ROADMAP_PUBLISH_URL        Full URL of the publish endpoint, e.g.
-//                                `https://api.starstats.app/v1/internal/roadmap/changelog/publish`.
-//                                Separated from `ROADMAP_EVENTS_URL` so
-//                                each endpoint can rotate independently.
+//   - STARSTATS_API_URL          Base URL of starstats-server, e.g.
+//                                `https://api.starstats.app`. The publish
+//                                endpoint path (`/v1/internal/roadmap/
+//                                changelog/publish`) is appended
+//                                automatically. Shared with the existing
+//                                admin-CLI publish path; one secret, one
+//                                source of truth for the API hostname.
 //   - ROADMAP_ITEM_SLUG          Slug to publish drafts for. Required.
 //
 // Optional:
@@ -55,8 +58,8 @@ const env = process.env;
 if (!env.ROADMAP_CI_EVENT_HMAC_KEY) {
   noop('ROADMAP_CI_EVENT_HMAC_KEY not set (pipeline not configured)');
 }
-if (!env.ROADMAP_PUBLISH_URL) {
-  noop('ROADMAP_PUBLISH_URL not set (pipeline not configured)');
+if (!env.STARSTATS_API_URL) {
+  noop('STARSTATS_API_URL not set (pipeline not configured)');
 }
 if (!env.ROADMAP_ITEM_SLUG) {
   noop('ROADMAP_ITEM_SLUG not set (no item to publish for)');
@@ -88,7 +91,10 @@ mac.update(`v1.${ts_ms}.`);
 mac.update(body);
 const sig = `v1=${mac.digest('hex')}`;
 
-const url = env.ROADMAP_PUBLISH_URL;
+// Compose the endpoint URL from the base. Trim trailing slashes so
+// `STARSTATS_API_URL=https://api.starstats.app/` and the bare form
+// both resolve identically.
+const url = `${env.STARSTATS_API_URL.replace(/\/+$/, "")}/v1/internal/roadmap/changelog/publish`;
 const headers = {
   'content-type': 'application/json',
   'X-StarStats-Timestamp': ts_ms,