Skip to content

fix(ci): pass github packages publish token#5

Merged
Jess Sullivan (Jesssullivan) merged 2 commits into
mainfrom
codex/tin713-github-packages-token
Apr 28, 2026
Merged

fix(ci): pass github packages publish token#5
Jess Sullivan (Jesssullivan) merged 2 commits into
mainfrom
codex/tin713-github-packages-token

Conversation

@Jesssullivan

Copy link
Copy Markdown
Contributor

Passes the optional GITHUB_PACKAGES_TOKEN through to the reusable Bazel package Publish workflow and updates the reusable workflow pin to the token-override capable revision.

This is the follow-up to the GitHub Packages scope fix: the mirror package names are now @tinyland-inc/*, but existing granular packages can still reject the repo GITHUB_TOKEN with permission_denied: write_package unless the package-admin token is passed.

Tracking: TIN-713

@greptile-apps

greptile-apps Bot commented Apr 28, 2026

Copy link
Copy Markdown

Greptile Summary

This PR updates the reusable Bazel publish workflow pin to a revision that supports an optional GITHUB_PACKAGES_TOKEN override, and wires that secret through from this caller workflow. The intent is to allow a package-admin token to bypass permission_denied: write_package errors encountered with the default GITHUB_TOKEN for pre-existing packages under @tinyland-inc/*.

Confidence Score: 4/5

The PR is safe to merge from a stability perspective, but will not achieve its stated goal until the secret name is corrected (already flagged in a prior review thread).

A P1 issue exists (GITHUB_-prefixed secret cannot be created in GitHub, so the token override silently resolves to empty string and the permission_denied root cause remains). That issue is capped at a 4/5 ceiling per severity guidance and was already surfaced in a previous review comment.

.github/workflows/publish.yml — secret name must be renamed away from the reserved GITHUB_ prefix.

Important Files Changed

Filename Overview
.github/workflows/publish.yml Bumps reusable workflow SHA pin and adds GITHUB_PACKAGES_TOKEN secret passthrough; the secret name uses the reserved GITHUB_ prefix (already flagged in a prior review thread), so it will resolve to empty string and the override will not take effect.

Sequence Diagram

sequenceDiagram
    participant Caller as publish.yml (this repo)
    participant Reusable as js-bazel-package.yml (ci-templates@c1fbeee)
    participant GHR as GitHub Packages Registry

    Caller->>Reusable: "uses: ...@c1fbeee / secrets: NPM_TOKEN, GITHUB_PACKAGES_TOKEN"
    Note over Caller,Reusable: GITHUB_PACKAGES_TOKEN resolves to empty string (GITHUB_ prefix reserved)
    Reusable->>Reusable: "Override token is empty — fall back to GITHUB_TOKEN"
    Reusable->>GHR: "Publish with default GITHUB_TOKEN"
    GHR-->>Reusable: "permission_denied: write_package"
Loading

Reviews (2): Last reviewed commit: "fix(ci): pass github packages publish to..." | Re-trigger Greptile

Comment thread .github/workflows/publish.yml Outdated
secrets:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_PACKAGES_TOKEN }} No newline at end of file

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 GITHUB_ prefix is reserved — secret cannot be created

GitHub explicitly forbids repository and organization secrets whose names start with GITHUB_ (docs). Attempting to save GITHUB_PACKAGES_TOKEN in repository settings will be rejected, so ${{ secrets.GITHUB_PACKAGES_TOKEN }} will always evaluate to an empty string. The reusable workflow will silently fall back to the default GITHUB_TOKEN, which is exactly the permission_denied: write_package root cause this PR intends to fix.

Rename the secret (e.g. PKG_ADMIN_TOKEN or PACKAGES_PUBLISH_TOKEN) both in repository settings and here:

Suggested change
GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_PACKAGES_TOKEN }}
GITHUB_PACKAGES_TOKEN: ${{ secrets.PKG_ADMIN_TOKEN }}

Comment thread .github/workflows/publish.yml Outdated
@Jesssullivan Jess Sullivan (Jesssullivan) merged commit 9a02ef1 into main Apr 28, 2026
3 checks passed
@Jesssullivan Jess Sullivan (Jesssullivan) deleted the codex/tin713-github-packages-token branch April 28, 2026 22:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant