From 03ffba567e176c45f53c0cec268d8c27a372bbaa Mon Sep 17 00:00:00 2001 From: Spencer Bryngelson Date: Sat, 30 May 2026 15:07:46 -0400 Subject: [PATCH] ci(coverage): push refreshed map via classic PAT (CACHE_PUSH_TOKEN) GitHub Apps cannot bypass the require-PR ruleset rule for direct pushes (documented limitation), so the app-token approach was abandoned. A classic PAT from an org-owner authenticates as a user with OrganizationAdmin bypass, which IS honored. Verified via a smoke-test that pushed to protected master with require-PR active. persist-credentials:false (already on master) ensures the PAT is the identity used, not GITHUB_TOKEN. --- .github/workflows/coverage-refresh.yml | 31 ++++++++++---------------- 1 file changed, 12 insertions(+), 19 deletions(-) diff --git a/.github/workflows/coverage-refresh.yml b/.github/workflows/coverage-refresh.yml index eed11aae5a..7fd9def883 100644 --- a/.github/workflows/coverage-refresh.yml +++ b/.github/workflows/coverage-refresh.yml @@ -24,38 +24,31 @@ jobs: steps: # persist-credentials: false stops actions/checkout from configuring the # default GITHUB_TOKEN as an http.extraheader, which otherwise OVERRIDES the - # app-token credentials embedded in the push URL below — making the push - # authenticate as github-actions[bot] (not a ruleset bypass actor) and get - # rejected by the require-PR rule. With it off, the app token is used and the - # mfc-map-bot bypass applies. + # token embedded in the push URL below — making the push authenticate as + # github-actions[bot] (which cannot bypass the require-PR rule) instead of + # the CACHE_PUSH_TOKEN identity. - uses: actions/checkout@v4 with: { clean: false, persist-credentials: false } - name: Build + collect coverage map (SLURM) run: bash .github/scripts/submit-slurm-job.sh .github/workflows/common/coverage-refresh.sh cpu none phoenix - # Mint a short-lived GitHub App installation token. The app is on the master - # ruleset's bypass list (Integration actor), so its push satisfies the - # "require pull request" rule that rejects the default GITHUB_TOKEN. - - name: Generate app token - id: app-token - uses: actions/create-github-app-token@v3 - with: - app-id: ${{ secrets.MAP_BOT_APP_ID }} - private-key: ${{ secrets.MAP_BOT_APP_PRIVATE_KEY }} - name: Commit refreshed map env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} + CACHE_PUSH_TOKEN: ${{ secrets.CACHE_PUSH_TOKEN }} run: | if ! git diff --quiet tests/coverage_map.json.gz; then - git config user.name "mfc-map-bot[bot]" - git config user.email "mfc-map-bot[bot]@users.noreply.github.com" + git config user.name "mfc-bot" + git config user.email "mfc-bot@users.noreply.github.com" git add tests/coverage_map.json.gz # --no-verify: this bot commit stages only the binary coverage map; it # must not run the repo pre-commit hook (./mfc.sh precheck/spelling), # which is for source changes and aborts the commit on the runner. git commit --no-verify -m "test: refresh coverage map [skip ci]" - # Push to master via the app installation token. The app is a bypass - # actor on the master ruleset, so the require-PR rule does not reject it. - git push "https://x-access-token:${GH_TOKEN}@github.com/MFlowCode/MFC.git" HEAD:master + # Push to master with CACHE_PUSH_TOKEN, a classic PAT from an org-owner + # account. GitHub Apps cannot bypass the require-PR ruleset rule for + # direct pushes, but a PAT authenticates as the user (OrganizationAdmin), + # which IS an honored bypass actor. persist-credentials:false above + # ensures this token is actually used for the push. + git push "https://x-access-token:${CACHE_PUSH_TOKEN}@github.com/MFlowCode/MFC.git" HEAD:master else echo "Coverage map unchanged." fi