Skip to content

fix(ci): use nonreserved github packages token#13

Merged
Jess Sullivan (Jesssullivan) merged 1 commit into
mainfrom
codex/tin713-nonreserved-package-token
Apr 28, 2026
Merged

fix(ci): use nonreserved github packages token#13
Jess Sullivan (Jesssullivan) merged 1 commit into
mainfrom
codex/tin713-nonreserved-package-token

Conversation

@Jesssullivan

@Jesssullivan Jess Sullivan (Jesssullivan) commented Apr 28, 2026

Copy link
Copy Markdown
Collaborator

Pins the package Publish workflow to the non-reserved token contract from ci-templates#24 and passes TINYLAND_GITHUB_PACKAGES_TOKEN where the workflow uses explicit secret mapping.

GitHub rejects custom Actions secret names beginning with GITHUB_, so the previous GITHUB_PACKAGES_TOKEN wiring could never be installed as an org secret.

Tracking: TIN-713

@greptile-apps

greptile-apps Bot commented Apr 28, 2026

Copy link
Copy Markdown

Greptile Summary

This PR fixes the CI publish workflow by renaming the secret passed to the reusable js-bazel-package workflow from GITHUB_PACKAGES_TOKEN to TINYLAND_GITHUB_PACKAGES_TOKEN, and pins the ci-templates reusable workflow to the corresponding new commit SHA (82308d0). GitHub Actions silently rejects org-level secrets whose names begin with the reserved GITHUB_ prefix, so the previous name could never be installed and the workflow would have failed to authenticate against GitHub Packages.

Confidence Score: 5/5

Safe to merge — one-line config fix with no logic or security concerns.

The change is minimal: a SHA bump to a pinned reusable workflow and a single secret mapping rename. The rename directly addresses a well-known GitHub Actions constraint on reserved secret-name prefixes, and no functionality is removed or altered.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/publish.yml Updated reusable workflow SHA pin and added correctly-named TINYLAND_GITHUB_PACKAGES_TOKEN secret to fix GitHub-reserved prefix constraint.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant PW as publish.yml
    participant CT as ci-templates/js-bazel-package.yml@82308d0
    participant GHCR as GitHub Packages (GHCR)
    participant NPM as npm Registry

    GH->>PW: Trigger (release published / workflow_dispatch)
    PW->>CT: Call reusable workflow<br/>secrets: NPM_TOKEN, TINYLAND_GITHUB_PACKAGES_TOKEN
    CT->>CT: Build & test (pnpm build, typecheck, unit tests)
    CT->>GHCR: Publish @tinyland-inc/tinyland-auth-pg<br/>(auth via TINYLAND_GITHUB_PACKAGES_TOKEN)
    CT->>NPM: Publish package<br/>(auth via NPM_TOKEN)
    CT-->>PW: Job result
Loading

Reviews (1): Last reviewed commit: "fix(ci): use nonreserved github packages..." | Re-trigger Greptile

@Jesssullivan Jess Sullivan (Jesssullivan) merged commit 146182a into main Apr 28, 2026
5 checks passed
@Jesssullivan Jess Sullivan (Jesssullivan) deleted the codex/tin713-nonreserved-package-token branch April 28, 2026 23:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Jesssullivan Jess Sullivan (Jesssullivan)

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Jesssullivan