fix(release): upload + publish steps use GITHUB_TOKEN to access drafts#441
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR fixes the GitHub Release publish pipeline by switching the asset upload and draft publish steps in the Publish workflow to authenticate with the workflow-scoped GITHUB_TOKEN, which has the necessary access to draft releases when permissions: contents: write is granted at the job level.
Changes:
- Use
secrets.GITHUB_TOKENforgh release uploadso uploads can target draft releases reliably. - Use
secrets.GITHUB_TOKENfor./target/release/ferrflow releaseso publishing drafts works with the same token permissions. - Add inline workflow documentation explaining why
GITHUB_TOKENis required for these draft-release operations.
Comment on lines
195
to
+198
| run: ./target/release/ferrflow release | ||
| env: | ||
| FERRFLOW_TOKEN: ${{ secrets.FERRFLOW_TOKEN }} | ||
| GITHUB_TOKEN: ${{ secrets.FERRFLOW_TOKEN }} | ||
| FERRFLOW_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
Comment on lines
170
to
+179
| - name: Upload assets to draft release | ||
| # Same scope reason as the wait step above: FERRFLOW_TOKEN | ||
| # (fine-grained PAT) lacks the `Releases: write` scope needed | ||
| # for `gh release upload` against a draft. v4.7.4 failed here | ||
| # with "release not found" because gh CLI internally hits | ||
| # /repos/.../releases/tags/<tag> which excludes drafts, and | ||
| # then falls back to a list call the PAT can't see. The | ||
| # job-level `permissions: contents: write` grants GITHUB_TOKEN | ||
| # everything needed to write to draft release assets on the | ||
| # workflow's own repo. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Benchmark
Details
| Benchmark suite | Current: eb9f6f2 | Previous: 0b5fe57 | Ratio |
|---|---|---|---|
full_check_flow/100_commits |
2663164 ns/iter (± 71301) |
||
full_check_flow/1000_commits |
27507050 ns/iter (± 348205) |
This comment was automatically generated by workflow using github-action-benchmark.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #439 + #440. v4.7.4 Publish failed at the Upload step — gh release upload returned
release not foundbecause FERRFLOW_TOKEN PAT can't see drafts. Same scope issue. Fixed by switching the upload + publish steps to GITHUB_TOKEN (job-levelcontents: writeis sufficient). The publish step'sferrflow releaseonly calls find_draft_release + publish_release (GitHub API, no git push) so GITHUB_TOKEN works there too.`