[TT-16977] fix: dashboard resolver credential fix (release-5.12.1)

[buger]

Summary

• Adds persist-credentials: false to the actions/checkout step in the resolve-dashboard-image job
• The checkout step sets an AUTHORIZATION header with the limited GITHUB_TOKEN which overrides ORG_GH_TOKEN credentials used by git ls-remote for cross-repo branch checking against tyk-analytics
• This causes the resolver to silently fail the branch existence check and fall back to master/gromit-default dashboard image

Test plan

• Verify resolve-dashboard-image job correctly detects matching branches in tyk-analytics when they exist
• Verify the resolver falls back to gromit-default when no matching branch exists (expected behavior)
• Check workflow YAML is valid

Generated with Claude Code

[probelabs]

This PR fixes a credential handling bug in the release.yml workflow. By adding persist-credentials: false to a checkout step, it prevents the default GITHUB_TOKEN from overriding the ORG_GH_TOKEN required for cross-repository branch checks. This ensures the resolve-dashboard-image job can correctly detect matching branches in the tyk-analytics repository and select the appropriate dashboard image, rather than silently failing and using a default.

Files Changed Analysis

• .github/workflows/release.yml: A single line was added to the resolve-dashboard-image job. This is a targeted configuration change within the CI/CD pipeline to alter the behavior of the actions/checkout step.

Architecture & Impact Assessment

• What this PR accomplishes: It corrects a bug in the release process that caused the wrong Tyk Dashboard image to be used when a corresponding feature branch existed in the tyk-analytics repository. The fix ensures the correct image is resolved.
• Key technical changes introduced: The persist-credentials: false option is added to the actions/checkout configuration. This prevents the action from modifying the local git configuration, allowing subsequent steps to use a different set of credentials (ORG_GH_TOKEN) for authenticating with other repositories.
• Affected system components: The change is isolated to the CI/CD pipeline, specifically the release.yml workflow. It directly impacts the resolve-dashboard-image job, which is part of the automated release and build process. There is no impact on the runtime behavior of the Tyk Gateway product itself.

Workflow Credential Flow

The diagram below illustrates how the credential handling is fixed.

graph TD
    subgraph sg1 "Problematic Flow (Before)"
        A[actions/checkout] --|Writes limited GITHUB_TOKEN to git config|--> B(Git Config)
        C[git ls-remote tyk-analytics] --|Reads GITHUB_TOKEN from git config|--> B
        C --|Fails silently (insufficient permissions)|--> D(Fallback to Default Image)
    end

    subgraph sg2 "Corrected Flow (After)"
        A_fix[actions/checkout with persist-credentials:false] --|Does NOT write token|--> B_fix(Git Config)
        C_fix[git ls-remote tyk-analytics] --|Uses correct ORG_GH_TOKEN from environment|--> E{Check tyk-analytics repo}
        E --|Branch Found|--> F(Use Correct Dashboard Image)
        E --|Branch Not Found|--> G(Fallback to Default Image)
    end

Loading

Scope Discovery & Context Expansion

The impact of this change is narrowly focused on the release automation for the Tyk Gateway. The resolve-dashboard-image job's purpose is to synchronize feature development between the gateway (tyk) and the dashboard (tyk-analytics) repositories. When a PR is opened on a branch like feature/foo in tyk, this job checks if a corresponding feature/foo branch exists in tyk-analytics. If it does, it uses a dashboard image built from that branch. The bug caused this check to always fail, leading to the use of a default image and potentially masking integration issues until later in the development cycle. This fix restores the intended cross-repository integration testing within the CI pipeline.

Metadata

• Review Effort: 1 / 5
• Primary Label: bug

---

Powered by Visor from Probelabs

Last updated: 2026-04-16T16:55:03.956Z | Triggered by: pr_opened | Commit: 705a3c8

💡 TIP: You can chat with Visor using /visor ask <your question>

[github-actions]

API Changes

no api changes detected

[probelabs]

✅ Security Check Passed

No security issues found – changes LGTM.

✅ Security Check Passed

No security issues found – changes LGTM.

\n\n

✅ Architecture Check Passed

No architecture issues found – changes LGTM.

✅ Performance Check Passed

No performance issues found – changes LGTM.

---

Powered by Visor from Probelabs

Last updated: 2026-04-16T16:54:58.515Z | Triggered by: pr_opened | Commit: 705a3c8

💡 TIP: You can chat with Visor using /visor ask <your question>

[github-actions]

🚨 Jira Linter Failed

Commit: 705a3c8
Failed at: 2026-04-17 16:48:47 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details

failed to get Jira issue: failed to fetch Jira issue TT-16977: Issue does not exist or you do not have permission to see it.: request failed. Please analyze the request body for more details. Status code: 404

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

---

This comment will be automatically deleted once the linter passes.