chore(ci): add repository dispatch workflow

[Sec-ant]

Summary

Add repository dispatch workflow. This workflow is meant to trigger the Pin submodule and run codegen workflow in biomejs/website whenever a push event is issued from the main branch.

To trigger the workflow in another repository, this workflow needs a PAT (Personal Access Token) and stores it as a repository secret. I used the secrete name BIOME_REPOSITORY_DISPATCH in this workflow. Further details about the token permissions can be found here: https://github.com/peter-evans/repository-dispatch?tab=readme-ov-file#token

I suggest that we create a dedicated account under the organization (maybe with the name biomecookie or something like that) for token management. So personal access tokens won't be associated with any personal accounts. We should also only grant the minimal permissions for the tokens we need.

A dedicated account for tokens will also let us to use it instead of github-actions[bot] to trigger other workflows:

When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.

Commits pushed by a GitHub Actions workflow that uses the GITHUB_TOKEN do not trigger a GitHub Pages build.

A bit of info on creating a machine user:

• https://docs.github.com/en/get-started/learning-about-github/types-of-github-accounts#personal-accounts
• https://docs.github.com/en/authentication/connecting-to-github-with-ssh/managing-deploy-keys#machine-users

Test Plan

[netlify]

✅ Deploy Preview for biomejs ready!

Name	Link
🔨 Latest commit	ff8fea6
🔍 Latest deploy log	https://app.netlify.com/sites/biomejs/deploys/661b686357fd8600088b69f3
😎 Deploy Preview	https://deploy-preview-2442--biomejs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 99 (no change from production) Accessibility: 97 (no change from production) Best Practices: 100 (no change from production) SEO: 93 (no change from production) PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[Sec-ant]

This is the PAT token we use and it should be stored as a repository secret and the name should match (I used the name BIOME_REPOSITORY_DISPATCH, we can change the name but they should be kept the same).

[ematipico]

The bot should up and running now. The only thing that I changed was the name of the secret: BIOME_COOKIE_BOT

In the future, we can use it instead of the github bot if we want.

[Sec-ant]

The only thing that I changed was the name of the secret: BIOME_COOKIE_BOT

I maybe wrong because I have no experience managing tokens for an organization. But shouldn't we have different dedicated tokens with the least permissions granted for each kind of tasks we run? A single token with many permissions may have some security risks, and BIOME_COOKIE_BOT seems a multi-purpose token with many permissions granted to me.

[ematipico]

For now, BIOME_COOKIE_BOT has only the permissions required by this kind of workflow.

If we require different permissions, we can create a different PAT with fine-grained permissions; then, using the values of said PAT, we can create one more secret in the repository where we need said permissions.

Although, you actually have a good point, and it makes sense to name the secret based on what is meant for. I will update the name of the secret.

[ematipico]

Done!

[Sec-ant]

Done!

Thanks, just to be sure, is the new secret name BIOME_REPOSITORY_DISPATCH?

[ematipico]

Yes, that's the name