Conversation
The release.yml workflow runs in two modes: 1. Push to main — secrets are inherited from the workflow run 2. workflow_call from snapshot.yml — secrets must be explicitly declared on the callee and explicitly passed through on the caller #2320 added the dispatch step + read of secrets.DOWNSTREAM_DISPATCH_TOKEN but only handled mode 1. In mode 2 (which is what snapshot.yml does on every develop push) the secret is invisible regardless of whether the repo has it set, so the dispatch step always hits its graceful-degrade warning branch. Fix is a 7-line passthrough: declare the secret as optional in the workflow_call.secrets block of release.yml, then pass it through from snapshot.yml. Since the step exits 0 when the secret is missing, no release ever breaks if the secret is unset — this just makes the secret actually visible when it IS set. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
bpamiri
added a commit
that referenced
this pull request
Apr 27, 2026
Empty commit to fire snapshot.yml -> release.yml -> repository_dispatch to homebrew-wheels and chocolatey-wheels. Tests: - DOWNSTREAM_DISPATCH_TOKEN with corrected Contents:write scope - workflow_call secret passthrough (#2324) - AUTO_MERGE_PAT propagating events on both downstream repos - choco publish-on-merge firing automatically after auto-update merge Expected: ~15-20 min for the full chain to complete with no manual nudges. Resulting wheels v0.3.7.<runNumber> on community.chocolatey.org. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hot-fix for #2320. The dispatch step landed correctly, but it can't see the secret when `release.yml` is invoked via `workflow_call` from `snapshot.yml` (which is what happens on every push to `develop`). `workflow_call` requires:
Without both, `secrets.DOWNSTREAM_DISPATCH_TOKEN` evaluates to empty inside `release.yml` regardless of whether the repo actually has the secret set.
Symptom
The `develop` push for #2321 (merge SHA `4fd8dc9`) ran successfully end-to-end. Snapshot release was published, but the dispatch step printed:
```
##[warning]DOWNSTREAM_DISPATCH_TOKEN is not set on the repository
— homebrew/chocolatey auto-update will fall back to the daily cron tick.
```
…even though `gh secret list --repo wheels-dev/wheels` confirms the secret was set 7 minutes earlier at `2026-04-27T01:22:19Z`.
Fix
7 lines:
The secret is declared optional because the dispatch step still exits 0 when it's missing — releases are never blocked.
Verification
After merge, the next `develop` push will trigger snapshot.yml → release.yml with the token visible. Confirm by:
```bash
gh run view --repo wheels-dev/wheels --log | grep -E "Dispatching|workflows dispatched|::warning"
```
A successful run shows `Dispatching wheels-released to wheels-dev/homebrew-wheels...` followed by `✓ homebrew-wheels dispatched` etc.
Why this wasn't caught in #2320 review
The `workflow_call` secret-passthrough requirement is one of those GitHub Actions footguns that only manifests at runtime (no schema validation flags it). The release.yml change worked locally and in tests against `main` (where it'd be triggered by direct push, not workflow_call), and `gh actionlint` doesn't check workflow_call secret coverage.
🤖 Generated with Claude Code