fix(ci): pass github packages publish token#5
Conversation
Greptile SummaryThis PR updates the reusable Bazel publish workflow pin to a revision that supports an optional Confidence Score: 4/5The PR is safe to merge from a stability perspective, but will not achieve its stated goal until the secret name is corrected (already flagged in a prior review thread). A P1 issue exists (GITHUB_-prefixed secret cannot be created in GitHub, so the token override silently resolves to empty string and the permission_denied root cause remains). That issue is capped at a 4/5 ceiling per severity guidance and was already surfaced in a previous review comment. .github/workflows/publish.yml — secret name must be renamed away from the reserved GITHUB_ prefix. Important Files Changed
Sequence DiagramsequenceDiagram
participant Caller as publish.yml (this repo)
participant Reusable as js-bazel-package.yml (ci-templates@c1fbeee)
participant GHR as GitHub Packages Registry
Caller->>Reusable: "uses: ...@c1fbeee / secrets: NPM_TOKEN, GITHUB_PACKAGES_TOKEN"
Note over Caller,Reusable: GITHUB_PACKAGES_TOKEN resolves to empty string (GITHUB_ prefix reserved)
Reusable->>Reusable: "Override token is empty — fall back to GITHUB_TOKEN"
Reusable->>GHR: "Publish with default GITHUB_TOKEN"
GHR-->>Reusable: "permission_denied: write_package"
Reviews (2): Last reviewed commit: "fix(ci): pass github packages publish to..." | Re-trigger Greptile |
| secrets: | ||
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
|
|
||
| GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_PACKAGES_TOKEN }} No newline at end of file |
There was a problem hiding this comment.
GITHUB_ prefix is reserved — secret cannot be created
GitHub explicitly forbids repository and organization secrets whose names start with GITHUB_ (docs). Attempting to save GITHUB_PACKAGES_TOKEN in repository settings will be rejected, so ${{ secrets.GITHUB_PACKAGES_TOKEN }} will always evaluate to an empty string. The reusable workflow will silently fall back to the default GITHUB_TOKEN, which is exactly the permission_denied: write_package root cause this PR intends to fix.
Rename the secret (e.g. PKG_ADMIN_TOKEN or PACKAGES_PUBLISH_TOKEN) both in repository settings and here:
| GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_PACKAGES_TOKEN }} | |
| GITHUB_PACKAGES_TOKEN: ${{ secrets.PKG_ADMIN_TOKEN }} |
Passes the optional
GITHUB_PACKAGES_TOKENthrough to the reusable Bazel package Publish workflow and updates the reusable workflow pin to the token-override capable revision.This is the follow-up to the GitHub Packages scope fix: the mirror package names are now
@tinyland-inc/*, but existing granular packages can still reject the repoGITHUB_TOKENwithpermission_denied: write_packageunless the package-admin token is passed.Tracking: TIN-713