[TT-16977] fix: dashboard resolver credential fix (release-5.12)

[buger]

Summary

• Adds persist-credentials: false to the actions/checkout step in the resolve-dashboard-image job
• The checkout step sets an AUTHORIZATION header with the limited GITHUB_TOKEN which overrides ORG_GH_TOKEN credentials used by git ls-remote for cross-repo branch checking against tyk-analytics
• This causes the resolver to silently fail the branch existence check and fall back to master/gromit-default dashboard image

Test plan

• Verify resolve-dashboard-image job correctly detects matching branches in tyk-analytics when they exist
• Verify the resolver falls back to gromit-default when no matching branch exists (expected behavior)
• Check workflow YAML is valid

Generated with Claude Code

[github-actions]

🚨 Jira Linter Failed

Commit: ce5321c
Failed at: 2026-04-16 16:54:12 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details

failed to validate branch and PR title rules: branch name 'hotfix/fix-resolver-credentials-5.12' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

---

This comment will be automatically deleted once the linter passes.

[probelabs]

This PR fixes a bug in the CI/CD release workflow that caused it to use an incorrect default Docker image for the Tyk Dashboard.

Files Changed Analysis

• File: .github/workflows/release.yml
• Changes: 1 line added, 0 deleted.
• Summary: The change is a single-line configuration update to a GitHub Actions workflow file, adding persist-credentials: false to a checkout step. This is a small, targeted fix for a specific automation issue.

Architecture & Impact Assessment

What this PR accomplishes:
This PR corrects a credential handling issue within the resolve-dashboard-image job of the release workflow. Previously, the job would silently fail to detect matching branches in the tyk-analytics repository and incorrectly fall back to a default dashboard image. This fix ensures the workflow can correctly authenticate to the other repository, find the appropriate branch, and select the correct dashboard image for the release.

Key technical changes introduced:
The change introduces the persist-credentials: false option to the actions/checkout step. This prevents the action from writing the default, limited-scope GITHUB_TOKEN into the runner's Git configuration. By not persisting these credentials, a subsequent step that uses git ls-remote can correctly authenticate with the intended ORG_GH_TOKEN, which has the necessary permissions to access the external tyk-analytics repository.

Affected system components:
The only component affected is the internal CI/CD release process defined in .github/workflows/release.yml. There is no impact on the production application code. The fix improves the reliability and correctness of the automated release builds.

Workflow Logic:

Before Change:

graph TD
    A[Start Job] --> B{actions/checkout};
    B --|Writes GITHUB_TOKEN to git config|--> C{Git Config};
    C --> D["git ls-remote on tyk-analytics"];
    D --|Fails due to wrong token|--> E[Fallback to default image];

Loading

After Change:

graph TD
    A[Start Job] --> B{actions/checkout with persist-credentials: false};
    B --|Does NOT write credentials|--> C{Git Config Unchanged};
    C --> D["git ls-remote on tyk-analytics"];
    D --|Succeeds using ORG_GH_TOKEN|--> E[Finds matching branch image];

Loading

Scope Discovery & Context Expansion

The change is highly localized to the .github/workflows/release.yml file and specifically impacts the interaction between the Tyk gateway and tyk-analytics repositories during the release process. The problem arises from a classic credential precedence issue in a CI environment where multiple tokens with different scopes are in play. This fix ensures that the more privileged token (ORG_GH_TOKEN) required for cross-repository communication is not overridden by the default, job-specific token (GITHUB_TOKEN).

Metadata

• Review Effort: 1 / 5
• Primary Label: bug

---

Powered by Visor from Probelabs

Last updated: 2026-04-16T16:54:51.456Z | Triggered by: pr_opened | Commit: ce5321c

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

✅ Security Check Passed

No security issues found – changes LGTM.

✅ Security Check Passed

No security issues found – changes LGTM.

\n\n

✅ Architecture Check Passed

No architecture issues found – changes LGTM.

✅ Performance Check Passed

No performance issues found – changes LGTM.

---

Powered by Visor from Probelabs

Last updated: 2026-04-16T16:54:42.204Z | Triggered by: pr_opened | Commit: ce5321c

💡 TIP: You can chat with Visor using /visor ask <your question>

[github-actions]

API Changes

no api changes detected