Problem
The Deploy job in the push workflow (.github/workflows/push.yaml) silently fails when trying to bump policyengine-us in the downstream API repos. The update_api.py script cannot push branches or create PRs in policyengine-api or policyengine-household-api.
Error output:
remote: Permission to policyengine/policyengine-api.git denied to policyengine[bot].
fatal: unable to access 'https://github.com/policyengine/policyengine-api/': The requested URL returned error: 403
pull request create failed: GraphQL: Resource not accessible by integration (createPullRequest)
Same errors repeat for policyengine-household-api.
Root Cause
The push-based approach (upstream clones downstream repos and pushes) is fundamentally fragile:
- GitHub App token scoping issues (token only valid for current repo)
- Git credential helper conflicts on GH Actions runners causing clones to hang
- No error handling (
os.system() calls)
- 5-minute
time.sleep() waiting for PyPI propagation
Solution
Replace with a pull-based cron model where each downstream repo polls PyPI for new versions:
Problem
The
Deployjob in the push workflow (.github/workflows/push.yaml) silently fails when trying to bumppolicyengine-usin the downstream API repos. Theupdate_api.pyscript cannot push branches or create PRs inpolicyengine-apiorpolicyengine-household-api.Error output:
Same errors repeat for
policyengine-household-api.Root Cause
The push-based approach (upstream clones downstream repos and pushes) is fundamentally fragile:
os.system()calls)time.sleep()waiting for PyPI propagationSolution
Replace with a pull-based cron model where each downstream repo polls PyPI for new versions:
Deployjob andupdate_api.pyentirely