Skip to content

fix(release): wait step uses GITHUB_TOKEN to list drafts#440

Merged
BryanFRD merged 1 commit into
mainfrom
fix/publish-wait-uses-github-token
May 14, 2026
Merged

fix(release): wait step uses GITHUB_TOKEN to list drafts#440
BryanFRD merged 1 commit into
mainfrom
fix/publish-wait-uses-github-token

Conversation

@BryanFRD
Copy link
Copy Markdown
Contributor

@BryanFRD BryanFRD commented May 14, 2026

Summary

Follow-up to #439. The wait step still failed for v4.7.3 because secrets.FERRFLOW_TOKEN (a fine-grained PAT) lacks read scope on /releases?per_page=100 — the runner returned 403 "Resource not accessible by personal access token" and the self-heal gh release create got the same 403. Verified in v4.7.3's failed Publish run.

Fix

Swap the wait step's GH_TOKEN from FERRFLOW_TOKEN (PAT, no list-releases scope) to secrets.GITHUB_TOKEN. The job already declares permissions: contents: write so the workflow-scoped token CAN list drafts on the repo's own releases.

The actual upload + publish steps below keep FERRFLOW_TOKEN because:

  • gh release upload doesn't need to list (it targets a known tag) and worked previously
  • ferrflow release (the publish step) needs the bot identity for branch-rule bypass and for ferrflow's own publish_release call

Test plan

  • No-op for any other workflow (only the wait step's env changes)
  • On merge to main, ferrflow auto-cuts v4.7.4 — wait step finds the draft within seconds via gh api
  • v4.7.4 release ends up with all 6 assets, becomes Latest
  • Re-trigger FerrGames-Cloud's main CI release step → succeeds, ships the 10 backlog PRs

Copilot AI review requested due to automatic review settings May 14, 2026 13:22
@BryanFRD BryanFRD merged commit 1bc73ba into main May 14, 2026
11 of 14 checks passed
@BryanFRD BryanFRD deleted the fix/publish-wait-uses-github-token branch May 14, 2026 13:22
Copilot AI reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes the release pipeline “wait for draft release” step by authenticating the gh api /releases?per_page=100 polling call with the workflow-scoped GITHUB_TOKEN instead of the fine-grained FERRFLOW_TOKEN, avoiding the 403 (“Resource not accessible by personal access token”) seen in v4.7.3 publish runs.

Changes:

  • Switch the wait/self-heal step’s GH_TOKEN from secrets.FERRFLOW_TOKEN to secrets.GITHUB_TOKEN.
  • Update the inline rationale comment to document why GITHUB_TOKEN is required for the list-releases polling approach.

github-actions[bot]
github-actions Bot reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Benchmark

Details
Benchmark suite Current: 9fb2031 Previous: 0b5fe57 Ratio
git_collect_tags/single_tag 46609 ns/iter (± 184)

This comment was automatically generated by workflow using github-action-benchmark.

@BryanFRD BryanFRD mentioned this pull request May 14, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BryanFRD