Skip to content

fix(ci): use default token for sponsors workflow checkout#62

Merged
Musiker15 merged 2 commits into
mainfrom
fix/update-sponsors-workflow
May 26, 2026
Merged

fix(ci): use default token for sponsors workflow checkout#62
Musiker15 merged 2 commits into
mainfrom
fix/update-sponsors-workflow

Conversation

@Musiker15
Copy link
Copy Markdown
Member

@Musiker15 Musiker15 commented May 26, 2026

Summary

Previous run failed in the checkout step:

fatal: could not read Username for 'https://github.com': terminal prompts disabled
The process '/usr/bin/git' failed with exit code 128

Root cause: actions/checkout was given ${{ secrets.SPONSORS_TOKEN }}, but
that secret is a user PAT scoped for the GitHub Sponsors GraphQL API — it has
no contents: write on the repo, so git fetch couldn't authenticate.

The job already declares permissions: contents: write, so the default
GITHUB_TOKEN is exactly what we want for the checkout + push. SPONSORS_TOKEN
now only gates the GraphQL request, which is its actual purpose.

Changes

  • Drop with: { token: ${{ secrets.SPONSORS_TOKEN }} } on the checkout step.
  • Add User-Agent header (GitHub rejects unidentified GraphQL requests with 403).
  • sponsorsponsorEntity (handles both User and Organization sponsors) and
    inline avatarUrl(size: 60) instead of &s=60.
  • Fail fast on empty token / empty org data / missing marker block with
    ::error:: annotations.
  • Stop trying to write README_GER.md (doesn't exist).
  • Placeholder comment between markers when there are no sponsors.

Test plan

  • CI green on this PR
  • After merge: manually trigger Update Sponsors in README workflow
    (gh workflow run update-sponsors.yml) and confirm it completes successfully
  • Verify the resulting commit only changes the <!-- sponsors --> block in
    README.md (current single sponsor cashbankss should remain — they are the
    only known sponsor of MSK-Scripts)

If the GraphQL call still fails after this PR, the new ::error:: annotations
will pinpoint whether it's the token scope (read:user/read:org) or
something else.

🤖 Generated with Claude Code

Musiker15 added 2 commits May 26, 2026 12:13
@Musiker15
fix(ci): use default token for sponsors workflow checkout
e5a6b00 
The update-sponsors workflow used SPONSORS_TOKEN (a user PAT scoped for
the Sponsors GraphQL API) as the checkout token. That PAT has no push
rights on the repo, so `actions/checkout` failed with:

    fatal: could not read Username for 'https://github.com':
    terminal prompts disabled

Default GITHUB_TOKEN already has the right scope thanks to
`permissions: contents: write` on the job. SPONSORS_TOKEN now only
gates the GraphQL request, which is its actual purpose.

While here:
- Add a User-Agent header (GitHub requires one and rejects unidentified
  requests with 403).
- Switch `sponsor` → `sponsorEntity` (supports User and Organization
  sponsors) and inline `avatarUrl(size: 60)` instead of `&s=60`.
- Surface GraphQL/HTTP errors via `::error::` annotations and fail fast
  on empty token, empty org data, or a missing marker block.
- Stop trying to update a non-existent README_GER.md.
- Emit a placeholder comment between the markers when there are no
  sponsors (avoids two adjacent identical markers, which would break
  the next run's regex).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Signed-off-by: Moritz Kohm <moritz.kohm@gmail.com>
Signed-off-by: Musiker15 <info@musiker15.de>
@Musiker15
fix(ci): reject whitespace/newlines in SPONSORS_TOKEN
09f6ea5 
The first PR landed the checkout fix but the run still failed in the
GraphQL step with `ValueError: Invalid header value b'bearer ***'` —
python's http.client refuses headers containing `\r` or `\n`. The token
was likely pasted from a browser that wrapped it, leaving an internal
newline that `.strip()` doesn't touch.

Use `''.join(token.split())` to scrub all whitespace (a GitHub PAT
never contains any), then explicitly fail with a clear `::error::` if
the cleaned token differs from `.strip()`-only or looks too short.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Signed-off-by: Moritz Kohm <moritz.kohm@gmail.com>
Signed-off-by: Musiker15 <info@musiker15.de>
@Musiker15 Musiker15 merged commit c5e2b0e into main May 26, 2026
8 of 9 checks passed
@Musiker15 Musiker15 mentioned this pull request May 28, 2026
Merged
5 tasks
@Musiker15 Musiker15 deleted the fix/update-sponsors-workflow branch May 28, 2026 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Musiker15