Skip to content

fix(ci): rpm metadata syntax + release write permission#36

Merged
bearice merged 2 commits into
masterfrom
fix/ci-release
Jul 7, 2026
Merged

fix(ci): rpm metadata syntax + release write permission#36
bearice merged 2 commits into
masterfrom
fix/ci-release

Conversation

@bearice

@bearice bearice commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Fixes the two CI failures that blocked the v2.4.0 release (run 28845487454).

1. Build .rpm failed

Field package.metadata.generate-rpm.recommends must be string or integer

cargo-generate-rpm 0.21 expects dependency fields as a table section, not an inline array. Changed:

# before
recommends = ["kdialog", "plasma-systemmonitor"]

# after
[package.metadata.generate-rpm.recommends]
kdialog = "*"
plasma-systemmonitor = "*"

Verified locally with cargo-generate-rpm v0.21.0: produces rustcat-2.4.0-1.x86_64.rpm containing /usr/bin/rust_cat, /usr/share/applications/rustcat.desktop, /usr/share/pixmaps/rustcat.ico, with Recommends: kdialog, plasma-systemmonitor.

2. Publish ... release failed

Unexpected error fetching GitHub release for tag refs/tags/v2.4.0: Resource not accessible by integration

The workflow declared only pull-requests: write, which makes every other GITHUB_TOKEN permission default to none — so softprops/action-gh-release couldn't upload assets. Added contents: write to the permissions: block (affects all three platform jobs' publish steps).

Post-merge

After merge, the v2.4.0 tag needs to move to the fixed commit and the release re-triggered — I'll handle that (move tag per the repo's documented release workflow, then gh release edit to fire the release: edited event).

🤖 Generated with Claude Code

Two CI failures blocked the v2.4.0 release:

1. "Build .rpm" failed with "Field package.metadata.generate-rpm.recommends
   must be string or integer" — cargo-generate-rpm 0.21 expects dependency
   fields as a table section, not an inline array. Switch recommends to
   [package.metadata.generate-rpm.recommends] with per-package version
   constraints. Verified locally: produces rustcat-2.4.0-1.x86_64.rpm with
   Recommends: kdialog, plasma-systemmonitor and the icon in pixmaps/.

2. "Publish ... release" failed with "Resource not accessible by
   integration" — the workflow declared only pull-requests: write, which
   makes contents default to none, so action-gh-release couldn't upload
   assets. Add contents: write to the permissions block.

Co-Authored-By: Claude <noreply@anthropic.com>

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Cargo.toml file to correctly format the recommended dependencies for cargo-generate-rpm as a table section instead of an inline array, conforming to the 0.21 documentation. There are no review comments, so I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d68ae5ff8f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

# contents: write is required by softprops/action-gh-release to upload
# assets to a GitHub release. Specifying any permission makes all others
# default to none, so this must be listed explicitly.
contents: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Limit release write permission to release jobs

Because this workflow also runs on pull_request_target, this top-level contents: write permission is granted to every PR-target build job, even though only the tag/release upload steps need repository-content write access. Those PR jobs still execute third-party actions and build scripts before the release-only publish steps are skipped, so any compromised action or PR-target execution path gets a token capable of mutating repository contents/releases; move this permission to release-only jobs or split publishing into a release-only workflow while keeping PR-target jobs read-only.

Useful? React with 👍 / 👎.

…rball

The AppImage step had never run before (it sat after the failing rpm step),
and linuxdeploy can be finicky in CI: it prefers a PNG icon over the raw
.ico, and running an AppImage-from-AppImage needs FUSE which some runners
gate. Rather than let a flaky AppImage block the core deb/rpm/tarball
release artifacts:

- Convert the icon to PNG via ImageMagick (magick v7 / convert v6) with a
  raw-.ico fallback.
- Fall back to APPIMAGE_EXTRACT_AND_RUN when the nested AppImage can't run.
- Mark the build step continue-on-error and the upload if-no-files-found:
  ignore / if: always(), so the Linux job still publishes deb/rpm/tarball
  when AppImage fails.

Co-Authored-By: Claude <noreply@anthropic.com>
@bearice bearice merged commit 5e8bb21 into master Jul 7, 2026
2 of 3 checks passed
@bearice bearice deleted the fix/ci-release branch July 7, 2026 07:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant