Skip to content

fix(ci): pass github packages publish token#5

Merged
Jess Sullivan (Jesssullivan) merged 2 commits into
mainfrom
codex/tin713-github-packages-token
Apr 28, 2026
Merged

fix(ci): pass github packages publish token#5
Jess Sullivan (Jesssullivan) merged 2 commits into
mainfrom
codex/tin713-github-packages-token

Conversation

@Jesssullivan

@Jesssullivan Jess Sullivan (Jesssullivan) commented Apr 28, 2026

Copy link
Copy Markdown
Contributor

Passes the optional GITHUB_PACKAGES_TOKEN through to the reusable Bazel package Publish workflow and updates the reusable workflow pin to the token-override capable revision.

This is the follow-up to the GitHub Packages scope fix: the mirror package names are now @tinyland-inc/*, but existing granular packages can still reject the repo GITHUB_TOKEN with permission_denied: write_package unless the package-admin token is passed.

Tracking: TIN-713

@greptile-apps

greptile-apps Bot commented Apr 28, 2026
edited
Loading

Copy link
Copy Markdown

Greptile Summary

Pins the reusable Bazel publish workflow to a new SHA (c1fbeee) that accepts a GITHUB_PACKAGES_TOKEN override, and threads secrets.GITHUB_PACKAGES_TOKEN through to that workflow so packages under @tinyland-inc/* that reject the default GITHUB_TOKEN with permission_denied: write_package can be published using the dedicated admin token.

Confidence Score: 5/5

This PR is safe to merge — it makes a minimal, well-scoped CI change with no logic, security, or correctness issues.

Only one file changed; the secret is correctly forwarded via the secrets: block (not hardcoded or logged), the SHA pin update is explained by the PR description, and the optional token gracefully degrades to an empty string when not set in the repo.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/publish.yml Bumps the reusable workflow SHA to the token-override capable revision and forwards GITHUB_PACKAGES_TOKEN as a secret — no logic issues found.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions (publish.yml)
    participant RW as ci-templates/js-bazel-package.yml@c1fbeee
    participant NPM as npmjs.com
    participant GHPKG as GitHub Packages

    GH->>RW: uses (SHA pin c1fbeee)
    GH->>RW: secrets.NPM_TOKEN
    GH->>RW: secrets.GITHUB_PACKAGES_TOKEN
    RW->>NPM: publish (@tinyland-inc/tinyland-activitypub) via NPM_TOKEN
    RW->>GHPKG: publish (@tinyland-inc/tinyland-activitypub) via GITHUB_PACKAGES_TOKEN
Loading

Reviews (2): Last reviewed commit: "fix(ci): pass github packages publish to..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 28, 2026
View reviewed changes
Comment thread .github/workflows/publish.yml Outdated
secrets:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_PACKAGES_TOKEN }} No newline at end of file

@greptile-apps greptile-apps Bot Apr 28, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Missing newline at end of file

The file is missing a trailing newline (\ No newline at end of file in the diff). POSIX and most linters expect text files to end with a newline; some tools that consume the workflow file (e.g., actionlint, yamllint) may warn or error on this.

Suggested change
GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_PACKAGES_TOKEN }}
GITHUB_PACKAGES_TOKEN: ${{ secrets.GITHUB_PACKAGES_TOKEN }}

@Jesssullivan Jess Sullivan (Jesssullivan) merged commit 7b2bd42 into main Apr 28, 2026
3 checks passed
@Jesssullivan Jess Sullivan (Jesssullivan) deleted the codex/tin713-github-packages-token branch April 28, 2026 22:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

@Jesssullivan Jess Sullivan (Jesssullivan)

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Jesssullivan