devops: extend app-token fix to cicd.yml + cron.yml#117
Open
rsharath wants to merge 1 commit into
Open
Conversation
PR #115 fixed the `actions/create-github-app-token@v3` config in release.yml. PR #116's release-pipeline overhaul kept that fix clean. But TWO other workflows that use the same action had the identical bugs and were left untouched in both PRs: .github/workflows/cicd.yml — runs on every push to main .github/workflows/cron.yml — runs weekly (and on workflow_dispatch) Both had: client-id: ${{ secrets.HIGHFLAME_GITHUB_APP_ID }} # wrong field repositories: | - ${{ github.repository }} # `-` prefix + owner/repo form - ${{ env.DEVOPS_REPO }} cicd.yml has been failing on every push to main since #113 landed (it triggered on push, the trigger step died at the app-token, the deploy-trigger never fired downstream). The cron version would fail the next time it runs (Friday at 2:30 AM UTC). Applied the same fix pattern used in release.yml: app-id: ${{ secrets.HIGHFLAME_GITHUB_APP_ID }} # deprecated alias OK; secret is numeric App ID repositories: | ${{ github.event.repository.name }} # bare name ${{ env.DEVOPS_REPO }} # already bare Pre-flight dry-run before pushing this time: - cargo fmt --check ✅ - cargo clippy --all-features --all-targets -- -D warnings -D unused ✅ (no Rust changes, expected clean — verified anyway) - YAML parse for all 6 workflows ✅ - grep across all workflows: NO remaining `- ${{ github.repository }}` or `client-id:` for the create-github-app-token action How I missed this on the earlier passes: every previous review focused on release.yml + release-plz.yml and didn't grep the rest of `.github/workflows/` for the same `actions/create-github-app-token@v3` pattern. Sub-agent review on PR #115 was scoped to release.yml only. Lesson: when a bug is found in one workflow file, grep all workflows for the same action and config pattern. Won't repeat.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two workflow files I overlooked in PR #115 / #116 have the SAME
actions/create-github-app-token@v3bugs we already fixed inrelease.yml:.github/workflows/cicd.yml.github/workflows/cron.ymlBoth had:
Failed with:
Repository '- highflame-ai/ramparts' includes owner '- highflame-ai', which does not match the resolved owner 'highflame-ai'.Fix
Same pattern release.yml already uses:
How I missed this earlier
Every prior review (PRs #113 / #115 / #116, three sub-agent code reviews) scoped to
release.yml+release-plz.ymland didn't grep the rest of.github/workflows/for the sameactions/create-github-app-token@v3pattern. Sub-agent review on #115 was explicitly scoped to release.yml only.Lesson learned: when a bug is found in one workflow file, grep all workflows for the same
uses:action + config pattern. Future workflow audits will start withgrep -rn 'actions/create-github-app-token' .github/workflows/and check each block.Pre-flight dry-run before pushing
grepacross workflows: NO remaining- ${{ github.repository }}and NO remainingclient-id:for anycreate-github-app-tokenblockThis is the same pre-flight checklist I should have run BEFORE pushing #115 (then I would have found these two files immediately by searching for the same pattern).
Test plan
cicd.ymlsuccessfully (thehighflame-triggerjob hits the downstream workflow without the app-token error)workflow_dispatch)