From c5066494a79f44df8a38844766f1b2ccf59f26ef Mon Sep 17 00:00:00 2001
From: Tyler Dane <tyler@switchback.tech>
Date: Mon, 4 May 2026 11:06:01 -0500
Subject: [PATCH 1/2] feat: add workflow to auto-sync docs to compass-docs

Triggers on push to main when any docs/** file changes (plus
workflow_dispatch for manual runs). Rsyncs the docs/ directory to the
compass-docs repo and pushes a commit, which triggers a Vercel
deployment automatically.

Requires a repo secret COMPASS_DOCS_TOKEN: a fine-grained PAT with
Contents read+write scoped to SwitchbackTech/compass-docs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/sync-docs.yml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 .github/workflows/sync-docs.yml

diff --git a/.github/workflows/sync-docs.yml b/.github/workflows/sync-docs.yml
new file mode 100644
index 000000000..e8a749ce2
--- /dev/null
+++ b/.github/workflows/sync-docs.yml
@@ -0,0 +1,32 @@
+name: Sync docs to compass-docs
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'docs/**'
+  workflow_dispatch:
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/checkout@v4
+        with:
+          repository: SwitchbackTech/compass-docs
+          token: ${{ secrets.COMPASS_DOCS_TOKEN }}
+          path: compass-docs
+
+      - name: Sync docs
+        run: rsync -av --delete docs/ compass-docs/docs/
+
+      - name: Commit and push if changed
+        working-directory: compass-docs
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add -A
+          git diff --staged --quiet || git commit -m "sync: update docs from compass"
+          git push

From f5a4da33d8d4ceb397f2d8d1ca7fb2b9b317b3e9 Mon Sep 17 00:00:00 2001
From: Tyler Dane <tyler@switchback.tech>
Date: Mon, 4 May 2026 11:10:01 -0500
Subject: [PATCH 2/2] fix: restrict GITHUB_TOKEN to read-only permissions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/sync-docs.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/sync-docs.yml b/.github/workflows/sync-docs.yml
index e8a749ce2..12138ee97 100644
--- a/.github/workflows/sync-docs.yml
+++ b/.github/workflows/sync-docs.yml
@@ -7,6 +7,9 @@ on:
       - 'docs/**'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     runs-on: ubuntu-latest