From c7b3d2483ba2b13bd9853b5e63ba5c23960c6049 Mon Sep 17 00:00:00 2001 From: Nathan Gillett Date: Thu, 7 May 2026 23:12:19 -0500 Subject: [PATCH] fix(ci): use cert-bot token for conformance push-back actions/checkout persists GITHUB_TOKEN as http.extraheader by default, which overrides URL-embedded tokens. Disable persisted credentials and clear the extraheader before pushing so ruleset bypass applies to the app installation. Co-authored-by: Cursor --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1bb0043..98174d8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -84,6 +84,8 @@ jobs: timeout-minutes: 15 steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Resolve pinned intentproof-spec revision id: spec_pin @@ -157,6 +159,7 @@ jobs: fi git config user.name "intentproof-cert-bot[bot]" git config user.email "intentproof-cert-bot[bot]@users.noreply.github.com" + git config --local --unset-all http.https://github.com/.extraheader || true git remote set-url origin "https://x-access-token:${INTENTPROOF_CERT_BOT_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" git add conformance-certificate.json conformance-report.json git commit -m "chore(ci): update conformance certificate and report"