From f4b2b3b1640f915be5f0e0626b38081059512ba8 Mon Sep 17 00:00:00 2001
From: jansdhillon <jan.dhillon@canonical.com>
Date: Mon, 9 Mar 2026 11:31:25 -0600
Subject: [PATCH 1/3] feat: add optional github-token input to
 generate_terraform_docs workflow

Adds an optional github-token input that defaults to secrets.GITHUB_TOKEN
for backwards compatibility. Callers can pass a PAT to allow CI workflows
to trigger on the resulting pull request.

Fixes #966
---
 .github/workflows/generate_terraform_docs.yaml | 6 +++++-
 docs/changelog.md                              | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/generate_terraform_docs.yaml b/.github/workflows/generate_terraform_docs.yaml
index c513d0fdb..bfa6a8288 100644
--- a/.github/workflows/generate_terraform_docs.yaml
+++ b/.github/workflows/generate_terraform_docs.yaml
@@ -13,6 +13,10 @@ on:
         type: boolean
         description: Whether to enable auto-merge for the created pull request.
         default: true
+      github-token:
+        type: string
+        description: Token used to create the pull request. Use a PAT to allow CI to trigger on the resulting PR.
+        default: ""
 
 jobs:
   docs:
@@ -35,7 +39,7 @@ jobs:
       uses: canonical/create-pull-request@main
       if: ${{ github.event_name != 'pull_request' }}
       with:
-        github-token: ${{ secrets.GITHUB_TOKEN }}
+        github-token: ${{ inputs.github-token || secrets.GITHUB_TOKEN }}
         commit-message: "chore(docs): Update Terraform documentation"
         branch-name: terraform-docs
         title: "chore(docs): Update Terraform documentation"
diff --git a/docs/changelog.md b/docs/changelog.md
index cf6109100..9dfd6f8ec 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 Each revision is versioned by the date of the revision.
 
+## 2026-03-09
+
+- Add optional `github-token` input to the `generate_terraform_docs` workflow to allow callers to pass a PAT, enabling CI workflows to trigger on the resulting pull request.
+
 ## 2026-03-04
 
 - Cache rock build results for register-typed rocks.

From 6b2f386bbb5c740c2c2388610ad74f5d2d958fcf Mon Sep 17 00:00:00 2001
From: jansdhillon <jan.dhillon@canonical.com>
Date: Sun, 22 Mar 2026 21:46:55 -0600
Subject: [PATCH 2/3] fix: use secrets block for github-token instead of inputs

Move github-token from workflow_call inputs (string) to
workflow_call secrets to prevent potential token exposure in
workflow logs.

Fixes #966
---
 .github/workflows/generate_terraform_docs.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/generate_terraform_docs.yaml b/.github/workflows/generate_terraform_docs.yaml
index bfa6a8288..1a98c64be 100644
--- a/.github/workflows/generate_terraform_docs.yaml
+++ b/.github/workflows/generate_terraform_docs.yaml
@@ -13,10 +13,10 @@ on:
         type: boolean
         description: Whether to enable auto-merge for the created pull request.
         default: true
+    secrets:
       github-token:
-        type: string
         description: Token used to create the pull request. Use a PAT to allow CI to trigger on the resulting PR.
-        default: ""
+        required: false
 
 jobs:
   docs:
@@ -39,7 +39,7 @@ jobs:
       uses: canonical/create-pull-request@main
       if: ${{ github.event_name != 'pull_request' }}
       with:
-        github-token: ${{ inputs.github-token || secrets.GITHUB_TOKEN }}
+        github-token: ${{ secrets.github-token || secrets.GITHUB_TOKEN }}
         commit-message: "chore(docs): Update Terraform documentation"
         branch-name: terraform-docs
         title: "chore(docs): Update Terraform documentation"

From b30a206d18e42f61e6e5b127a21ca6da6e549b30 Mon Sep 17 00:00:00 2001
From: jansdhillon <jan.dhillon@canonical.com>
Date: Sun, 22 Mar 2026 21:47:27 -0600
Subject: [PATCH 3/3] chore: update changelog to reflect secrets block approach

---
 docs/changelog.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/changelog.md b/docs/changelog.md
index 9dfd6f8ec..5128e2a58 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -8,7 +8,7 @@ Each revision is versioned by the date of the revision.
 
 ## 2026-03-09
 
-- Add optional `github-token` input to the `generate_terraform_docs` workflow to allow callers to pass a PAT, enabling CI workflows to trigger on the resulting pull request.
+- Add optional `github-token` secret to the `generate_terraform_docs` workflow to allow callers to pass a PAT, enabling CI workflows to trigger on the resulting pull request.
 
 ## 2026-03-04