ci(upstream-sync): use write-scoped PAT for push; make notify best-effort
Run 90 hit two problems in sequence:
1. Built-in $GITEA_TOKEN is read-only by default in Gitea Actions, so
'git push origin main' 404'd ('failed to push some refs'). Swapped
to a new GIT_PUSH_TOKEN repo secret (admin-scoped PAT) which the
checkout action uses when wiring the authenticated remote.
2. None of our bot accounts are currently in the Infra Matrix room, so
the notification POST would 403 and fail the whole run. Made that
step continue-on-error — the sync is the critical path; a missed
ping is recoverable (check Actions UI, invite a bot later, etc).
This commit is contained in:
parent
e710e7d669
commit
5f7613ddac
1 changed files with 8 additions and 2 deletions
|
|
@ -32,8 +32,10 @@ jobs:
|
|||
ref: main
|
||||
fetch-depth: 0
|
||||
lfs: false
|
||||
# Built-in token Gitea hands us — scoped to this repo, has push.
|
||||
token: ${{ secrets.GITEA_TOKEN }}
|
||||
# Gitea's built-in GITEA_TOKEN is read-only by default.
|
||||
# GIT_PUSH_TOKEN is a repo secret with a write-scoped PAT, so
|
||||
# the subsequent `git push origin main` actually lands.
|
||||
token: ${{ secrets.GIT_PUSH_TOKEN }}
|
||||
|
||||
- name: Fetch upstream + wallet
|
||||
run: |
|
||||
|
|
@ -84,7 +86,11 @@ jobs:
|
|||
echo "wallet is $BEHIND commits behind main now; $NEW_ADDED new upstream commits this run"
|
||||
|
||||
- name: Matrix notification (Infra room)
|
||||
# Best-effort — if the target bot isn't in the room or Matrix is
|
||||
# flapping, don't fail the whole run. The advance + push is the
|
||||
# critical path; notify is a convenience ping.
|
||||
if: steps.ff.outputs.advanced == 'true'
|
||||
continue-on-error: true
|
||||
env:
|
||||
MATRIX_TOKEN: ${{ secrets.MATRIX_HOUSE_BOT_TOKEN }}
|
||||
run: |
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue