ci: fix changelog workflow auth and push target#77
Merged
Conversation
the BOT_TOKEN secret no longer authenticates, breaking every post-merge changelog update since #66. switch to the built-in GITHUB_TOKEN with contents:write, check out master directly (github.ref points at refs/pull/N/merge after close), and push to master explicitly so the run no longer depends on a stale secret.
github-actions
Bot
added
S: Untriaged
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes the post-merge Update Changelog GitHub Actions workflow so it can authenticate again, check out/push the correct branch, and avoid failing on no-op runs.
Changes:
- Switches checkout/auth from
BOT_TOKENto the built-inGITHUB_TOKENand adds job-levelcontents: writepermissions. - Ensures the workflow operates on
master(ref: master) and pushes explicitly toorigin HEAD:master. - Skips the commit/push when
CHANGELOG.mdhas no staged changes.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
setting an explicit permissions block drops every unspecified scope
to none, and scripts/update_changelog.py calls /pulls/{n} and
/pulls/{n}/commits to build the entry, so contents:write alone
would 403.
two PRs merging close together would have both runs check out master, append, and race on the push - second one would lose with non-fast-forward. queue them with cancel-in-progress:false so each run sees the prior changelog commit before appending.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
About the PR
The post-merge
Update Changelogworkflow has been failing on every merge since #66 because checkout is rejected withfatal: could not read Username for 'https://github.com'- theBOT_TOKENsecret no longer authenticates. This swaps it to the built-inGITHUB_TOKEN, fixes the push target, and only commits when the changelog actually changed.Why / Balance
No gameplay impact - CI only. The merged PRs that ran while the workflow was broken (#66, #67, #68, #69, #70, #71, #74, #76) never had their changelog entries appended. Once this lands the workflow can be re-dispatched manually with that PR list to backfill
CHANGELOG.md.Technical details
secrets.BOT_TOKEN->secrets.GITHUB_TOKEN(the bot token is dead; the runner-issued token works and rotates per-run)permissions: contents: writeon the job, sinceGITHUB_TOKENis read-only by default forpull_requesteventsref: masteron the checkout: when a PR closes,github.refpoints atrefs/pull/N/merge, so without this the runner checks out the merge ref and the push target is wrongorigin HEAD:masterinstead of${{ github.ref }}github-actions[bot](canonical forGITHUB_TOKEN-attributed commits)git commitMedia
N/A - CI only.
Requirements
Breaking changes
None.
Backfill plan (post-merge)
After this merges, run:
to append the missing entries to
CHANGELOG.mdin one pass.