Skip to content

fix(ci): unblock private docs sync from runner#72

Merged
wavekat-eason merged 4 commits into
mainfrom
debug/sync-docs-token
May 23, 2026
Merged

fix(ci): unblock private docs sync from runner#72
wavekat-eason merged 4 commits into
mainfrom
debug/sync-docs-token

Conversation

@wavekat-eason
Copy link
Copy Markdown
Contributor

@wavekat-eason wavekat-eason commented May 23, 2026

Summary

  • actions/checkout@v4 was setting a local repo http.extraheader using the default repo-scoped GITHUB_TOKEN, which overrode the SYNC_DOCS_TOKEN that scripts/sync-docs.js embeds in clone URLs — so every clone of the private wavekat-voice repo silently authenticated as the wrong token, got "Repository not found", and fell back to main instead of pinning to a tag.
  • persist-credentials: false on the checkout step prevents the extraheader from being set; sync-docs.js's URL-embedded SYNC_DOCS_TOKEN becomes the only Authorization header on the request and tag resolution works.
  • Applied to all three workflows that build the site (ci.yml, preview.yml, release.yml). The wavekat-brand submodule is public, so the checkout still resolves without persisted creds.

Why it only failed on the self-hosted runner

Local dev machines have no leftover extraheader, so URL creds win there. The runner inherits it from actions/checkout. REST API calls (used by gh) bypass git config entirely, which is why gh api repos/wavekat/wavekat-voice worked from the same runner.

Test plan

  • On a debug branch with the fix, npm run cf:build resolves voice @ v0.0.12 (will become v0.0.13 once wavekat-voice cuts that release) instead of falling back to main.
  • CI on this PR passes.
  • After merge, the preview deploy on the release-please PR (or any new branch) shows voice @ <tag> in the sync-docs output, not voice @ main.

🤖 Generated with Claude Code

wavekat-eason and others added 4 commits May 23, 2026 17:42
@wavekat-eason @claude
debug: print SYNC_DOCS_TOKEN fingerprint in CI
7f876cc 
CI keeps failing ls-remote (falls back to voice@main) while the same
token works locally. Add a one-off debug step printing length, prefix,
suffix, and sha256 first-16 of the token, plus a direct ls-remote
test — so we can compare CI's secret value to the local working one.

To be reverted once we identify the mismatch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@wavekat-eason @claude
debug: expand runner-side diagnostics for sync-docs
b9a7dd1 
Token sha256 matches local byte-for-byte, so bug is runner-side. Print
system+global git config, egress IP, REST API check via curl, verbose
git ls-remote, and an alt URL format (oauth2:) to identify which layer
is rejecting the request.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@wavekat-eason
debug: test Bearer extraheader auth (vs Basic URL creds)
e94f759
@wavekat-eason @claude
ci: disable persist-credentials on checkout for private docs sync
8b9b8c6 
actions/checkout@v4 was setting a local repo http.extraheader using
the default repo-scoped GITHUB_TOKEN, which overrode the SYNC_DOCS_TOKEN
embedded in URLs by scripts/sync-docs.js — so every clone of the
private wavekat-voice repo authenticated as the (unauthorized) default
token and got "Repository not found", silently falling back to main.

persist-credentials: false stops checkout from setting that header.
The wavekat-brand submodule is public so it still resolves without
auth. No other steps in these workflows need the persisted creds.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 23, 2026

🔗 Preview: https://debug-sync-docs-token.wavekat-com.pages.dev

@wavekat-eason wavekat-eason merged commit a82b0ee into main May 23, 2026
2 checks passed
@wavekat-eason wavekat-eason deleted the debug/sync-docs-token branch May 23, 2026 05:58
@github-actions github-actions Bot mentioned this pull request May 23, 2026
Merged
wavekat-eason pushed a commit that referenced this pull request May 23, 2026
@github-actions
chore(main): release wavekat-com 0.0.25 (#71)
93f768a 
🤖 I have created a release *beep* *boop*
---


##
[0.0.25](wavekat-com-v0.0.24...wavekat-com-v0.0.25)
(2026-05-23)


### Features

* enable voice docs sync from wavekat-voice
([#70](#70))
([7353fa3](7353fa3))
* **sync-docs:** ref override for previewing branches
([#73](#73))
([94eeadf](94eeadf))


### Bug Fixes

* **ci:** unblock private docs sync from runner
([#72](#72))
([a82b0ee](a82b0ee))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wavekat-eason