fix: make action publication workflow dispatchable

[kantorcodes]

Summary

• remove the invalid job-level secrets expression from the action publication workflow
• validate ACTION_REPO_TOKEN inside the job so workflow dispatches succeed
• add regression coverage for the dispatch-safe workflow shape

Verification

• .venv/bin/python -m pytest tests/test_action_bundle.py -q
• .venv/bin/python -m pytest -q
• .venv/bin/python -m build

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Overview

This PR correctly fixes an invalid job-level secrets expression in the GitHub Actions workflow. In GitHub Actions, secrets context is not available in job-level if conditions — it silently evaluates to an empty string, causing the job to always run regardless of whether the secret is configured. Moving the validation into a step with if [ -z "${GH_TOKEN}" ] is the correct approach.

Files Reviewed (2 files)

• .github/workflows/publish-action-repo.yml - Removed invalid job-level if, added step-level credential validation
• tests/test_action_bundle.py - Added regression assertions to verify the fix

---

_{Reviewed by mimo-v2-pro-20260318 · 61,323 tokens}

[gemini-code-assist]

Code Review

This pull request updates tests/test_action_bundle.py to include assertions for credential validation and the removal of a conditional check within the workflow text. The review feedback suggests refactoring these tests to use a YAML parser instead of string matching to improve resilience against formatting changes and ensure more precise structural validation.

[gemini-code-assist]

These new assertions highlight a general issue with this test function: checking for string presence in a structured file like YAML is brittle. For instance, the checks could pass if the string is present in a comment, or fail on benign formatting changes.

A more robust approach is to parse the YAML file and inspect its structure. This makes the test more precise and resilient to formatting changes.

Consider refactoring this test to use a YAML parser (e.g., PyYAML, which would need to be added to test dependencies).

Here's an example of how you could rewrite some of the checks:

import yaml

# In test_publish_action_repo_workflow_syncs_action_repository:
workflow_path = ROOT / ".github" / "workflows" / "publish-action-repo.yml"
workflow_data = yaml.safe_load(workflow_path.read_text(encoding="utf-8"))

# Check workflow name
assert workflow_data["name"] == "Publish GitHub Action Repository"

# Check that the job-level 'if' is removed
# This assumes the job is named 'publish'. Adjust if necessary.
publish_job = workflow_data["jobs"]["publish"]
assert "if" not in publish_job

# Check for the new validation step
step_names = [step.get("name") for step in publish_job["steps"]]
assert "Validate publication credentials" in step_names

# Check for specific commands
all_steps_run_commands = ' '.join([step.get('run', '') for step in publish_job['steps']])
assert 'gh repo create "${ACTION_REPOSITORY}"' in all_steps_run_commands

Applying this pattern to all assertions in this test would significantly improve its maintainability and reliability.