fix(auth,release): token validation/refresh + env fallback; wire finalize into canonical CI#8
Merged
Merged
Conversation
…CI finalize Auth (issue #5 finding 4): EnsureToken no longer trusts a cached token blindly — expiring tokens are checked by clock, legacy tokens are validated against the API, and stale tokens are refreshed via the refresh-token grant or evicted so the device flow re-runs. Device-flow responses now persist expires_in/refresh_token. APX_GITHUB_TOKEN/GH_TOKEN/GITHUB_TOKEN override the cache entirely (CI escape hatch), and auth status reports expired tokens instead of claiming they are authenticated. Release (issue #5 finding 2): 'apx release finalize --api <id> --version <v>' reconstructs the manifest in CI where the producer's local manifest does not exist, and canonical repos now get a generated release-finalize.yml workflow that tags the release when a release PR merges — previously no workflow ever ran finalize, so no canonical tag was ever cut.
…de in tests on Windows
Tool auto-download requested asset names that do not exist upstream:
buf spells arm64 as aarch64 only on Linux (Darwin/Windows use arm64) and
ships Windows binaries as bare .exe files, while oasdiff uses Go-style
amd64/arm64 names and a universal darwin_all build. The shared
{OS}/{ARCH} pattern produced 404s ('tool not found') on macOS arm64 and
Windows for buf, and everywhere for oasdiff. Replace the pattern with
per-tool assetName functions verified against the projects' releases.
Also fix config tests overriding HOME, which Windows ignores
(os.UserHomeDir reads USERPROFILE), leaking the real home into tests.
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. Thanks for integrating Codecov - We've got you covered ☂️ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fixes findings #4 and #2 of #5 — the last two pieces needed for an end-to-end working release pipeline (after #6 and #7).
Auth (finding #4)
apx auth loginpreviously reported Authenticated successfully while returning a dead cached token:EnsureTokentrusted any cached token unconditionally, GitHub-App user tokens (ghu_) expire, no refresh token was ever persisted, and there was no env-token escape hatch. Now:expires_in/refresh_token/refresh_token_expires_in; expiring tokens are checked by clock (60s skew).GET /user; only a definitive 401 invalidates (offline use unaffected).grant_type=refresh_tokenwhen possible; otherwise the stale token is evicted so the device flow actually re-runs.APX_GITHUB_TOKEN>GH_TOKEN>GITHUB_TOKENoverride the cache entirely (CI-friendly; also honored by the non-interactive remote-config path).auth status— expired tokens now report token expired (issued …) — run apx auth login instead of authenticated.Release finalize in CI (finding #2)
No canonical workflow ever invoked
apx release finalize, so merging a release PR never cut a tag (both canonical repos had zero tags). Now:apx release finalize --api <id> --version <v>— CI mode that reconstructs the manifest exactly likepreparedoes (identity + language coords; lifecycle inferred from the version's prerelease, overridable;--commitselects the tag target). Needed because the producer's local.apx-release.yamldoesn't exist in canonical CI.release-finalize.yml— new canonical workflow (written byapx init canonicalandapx workflows): on merged PRs fromapx/release/*branches it parses the release coordinates from the PR title, runs CI-mode finalize on the merge commit, pushes the canonical tag, and uploads the release record artifact.Verified
go test . ./internal/... ./cmd/...— includes the testscripts).init canonical(generates all three workflows) → real schema →apx release finalize --api proto/payments/ledger/v1 --version v1.0.0-beta.1→ lint/policy pass, tagproto/payments/ledger/v1.0.0-beta.1cut (correct post-fix(release): derive release tag from the normalized Go-module subdir (v0/v1) #7 format), release record written.Closes #5.