ci(winget): add weekly WINGET_TOKEN expiry reminder#326
Merged
Conversation
winget-publish.yml's classic PAT (WINGET_TOKEN, public_repo) silently breaks WinGet auto-publish when it expires — and since that workflow fires on `release: released` (not the PR path), the failure goes unnoticed until WinGet is stuck at an old version. Add a Monday 07:00 UTC (+ workflow_dispatch) probe that reads the token's REAL expiry from the `github-authentication-token-expiration` API response header and: - < 28 days left -> opens/updates a tracking issue (labelled winget-token-expiry, assigned to githubrobbi) with rotation steps. - expired / 401 / missing secret -> same issue with an ACT-NOW body. - healthy -> auto-closes any open reminder, so a rotation resolves it. Probing the real header (not a hard-coded date) also catches early revocation, scope changes, and manual rotations. Least-privilege (contents: read, issues: write); never runs from forks. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the silent-failure gap on the WinGet auto-publish token.
winget-publish.ymlneeds a classic PAT (WINGET_TOKEN,public_repo) to fork+push tomicrosoft/winget-pkgs; when it expires, releases silently stop updating WinGet (the workflow fires onrelease: released, off the PR path, so nobody sees the red X).What it does
A Monday 07:00 UTC (+
workflow_dispatch) job probes the token's real expiry — read from thegithub-authentication-token-expirationAPI response header, not a hard-coded date — and manages a single tracking issue:winget-token-expirylabel, assignedgithubrobbi) with rotation stepsProbing the live header also catches early revocation, scope changes, and manual rotations — the reminder always reflects reality.
Least-privilege (
contents: read,issues: write); never runs from forks. Single new workflow file; gates-drift + gen-workflow unaffected (they scopepr-fast.yml). Locallint-pre-pushgreen.🤖 Generated with Claude Code