From 97c676d664e5382cae61b8110f6fdeaa921da7e4 Mon Sep 17 00:00:00 2001 From: KC Berg Date: Tue, 8 Jul 2025 20:04:10 -0600 Subject: [PATCH 1/2] ci: move GH_TOKEN permission check before git operations --- .github/workflows/ci.yml | 5 +++++ .github/workflows/release.yml | 10 +++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 74d2ab9..4e024c3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,6 +14,11 @@ jobs: python-version: ["3.10", "3.11", "3.12", "3.13"] steps: - uses: actions/checkout@v4 + - name: Test GH_TOKEN permissions + run: | + curl -v -H "Authorization: token ${{ secrets.GH_TOKEN }}" \ + https://api.github.com/repos/${{ github.repository }} + shell: bash - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e39619c..d29d361 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,6 +43,11 @@ jobs: with: ref: ${{ github.ref }} fetch-depth: 0 + - name: Test GH_TOKEN permissions + run: | + curl -v -H "Authorization: token ${{ secrets.GH_TOKEN }}" \ + https://api.github.com/repos/${{ github.repository }} + shell: bash - name: Set up Python uses: actions/setup-python@v5 with: @@ -54,11 +59,6 @@ jobs: - name: Set up git for pushing run: | git remote set-url origin https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${{ github.repository }}.git - - name: Test GH_TOKEN permissions - run: | - curl -v -H "Authorization: token ${{ secrets.GH_TOKEN }}" \ - https://api.github.com/repos/${{ github.repository }} - shell: bash - name: Set git user for GitHub Actions bot run: | git config user.name "github-actions[bot]" From 5894134a6d0c641222c5b0e781c5279a4fd877c1 Mon Sep 17 00:00:00 2001 From: KC Berg Date: Wed, 9 Jul 2025 02:47:30 -0600 Subject: [PATCH 2/2] ci: move GH_TOKEN permission check to just before tag creation and remove user check --- .github/workflows/ci.yml | 25 +++++-------------------- .github/workflows/release.yml | 19 ++++++++++--------- 2 files changed, 15 insertions(+), 29 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4e024c3..5e2b13b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,11 +14,6 @@ jobs: python-version: ["3.10", "3.11", "3.12", "3.13"] steps: - uses: actions/checkout@v4 - - name: Test GH_TOKEN permissions - run: | - curl -v -H "Authorization: token ${{ secrets.GH_TOKEN }}" \ - https://api.github.com/repos/${{ github.repository }} - shell: bash - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 with: @@ -40,15 +35,14 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + - name: Test GH_TOKEN permissions + run: | + curl -v -H "Authorization: token ${{ secrets.GH_TOKEN }}" \ + https://api.github.com/repos/${{ github.repository }} + shell: bash - name: Set up git for pushing run: | git remote set-url origin https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${{ github.repository }}.git - - name: Log git remote and user - run: | - git remote -v - git config --list - git config user.name || true - git config user.email || true - name: Create and push tag for current version (with verbose logging) run: | git tag v${{ steps.get_version.outputs.version }} @@ -66,17 +60,8 @@ jobs: - name: Set up git for pushing run: | git remote set-url origin https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${{ github.repository }}.git - - name: Set git user for GitHub Actions bot - run: | - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Bump patch version with bumpver run: bumpver update --patch --commit - name: Push version bump commit run: | git push - - name: Test GH_TOKEN permissions - run: | - curl -v -H "Authorization: token ${{ secrets.GH_TOKEN }}" \ - https://api.github.com/repos/${{ github.repository }} - shell: bash \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d29d361..3cfab40 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,6 +29,11 @@ jobs: runs-on: ubuntu-latest needs: approval steps: + - name: Test GH_TOKEN permissions + run: | + curl -v -H "Authorization: token ${{ secrets.GH_TOKEN }}" \ + https://api.github.com/repos/${{ github.repository }} + shell: bash - name: Confirm release tag exists run: | echo "Release tag is ${{ github.ref }}" @@ -43,11 +48,6 @@ jobs: with: ref: ${{ github.ref }} fetch-depth: 0 - - name: Test GH_TOKEN permissions - run: | - curl -v -H "Authorization: token ${{ secrets.GH_TOKEN }}" \ - https://api.github.com/repos/${{ github.repository }} - shell: bash - name: Set up Python uses: actions/setup-python@v5 with: @@ -79,13 +79,14 @@ jobs: with: ref: ${{ github.ref }} fetch-depth: 0 + - name: Test GH_TOKEN permissions + run: | + curl -v -H "Authorization: token ${{ secrets.GH_TOKEN }}" \ + https://api.github.com/repos/${{ github.repository }} + shell: bash - name: Set up git for pushing run: | git remote set-url origin https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${{ github.repository }}.git - - name: Set git user for GitHub Actions bot - run: | - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx