coulomb/kaizen-agentic
2
0
Fork 0
Code Issues 4 Pull Requests Actions Projects Releases Wiki Activity

docs: close WP-0005 T02 publish smoke-test after OpenBao token fix
Some checks failed
ci / test (push) Failing after 33s
Details

Browse Source 
Document tegwick + inter-hub-pkg-rep token custody, remove CI debug echo,
and record successful workflow_dispatch auth (409 on existing 1.1.0).
This commit is contained in:
Bernd Worsch
2026-06-17 00:34:19 +02:00
parent 1522f12130
commit 11a35d18d8
3 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitea/workflows/publish-python-package.yml
View File

@@ -27,7 +27,6 @@ jobs:
TWINE_PASSWORD: ${{ secrets.PACKAGE_TOKEN }}
PYTHON_KEYRING_BACKEND: keyring.backends.null.Keyring
run: |
echo "twine_user=${TWINE_USERNAME} token_len=${#TWINE_PASSWORD}"
cd repo
python3 -m venv .build-venv
. .build-venv/bin/activate

21
docs/PACKAGE_RELEASE.md
View File

@@ -61,7 +61,17 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**.
| Secret | Value |
|--------|-------|
| `PACKAGE_USER` | `tegwick` — Gitea username that owns the package token |
| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` (`write:package`); custody in OpenBao at `platform/data/operators/inter-hub/package-management` (field `inter-hub-pkg-rep`) |
| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` (`write:package`) |
Token custody (OpenBao):
```text
platform/data/operators/inter-hub/package-management
→ field: inter-hub-pkg-rep
```
Paste the **plaintext** token into the Gitea secret UI. `inter-hub-pkg-rep` is the
token name in Gitea, not a username.
Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN`
(not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone`
@@ -70,11 +80,10 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
The publish workflow fails at the upload step when either secret is missing or
invalid. Do not commit tokens to the repository.
**Smoke-test notes (2026-06-16):** `inter-hub-pkg-rep` is the **token name**, not a
Gitea user. `PACKAGE_USER` must be `tegwick`. Token value lives in OpenBao
(`platform/operators/inter-hub/package-management`, key `inter-hub-pkg-rep`).
Earlier `401` failures used the wrong token (`GITEA_API_TOKEN` ≠ package token).
Build step uses `.build-venv` (PEP 668 safe on haskelseed).
**Smoke-test (2026-06-16):** `workflow_dispatch` run #3042 authenticated successfully
(`409 Conflict` on re-upload of `1.1.0` — expected). Root causes of earlier `401`s:
wrong token (`GITEA_API_TOKEN` ≠ package token), wrong username (`inter-hub-pkg-rep`
is a token name), and a stale org-level secret. Build uses `.build-venv` (PEP 668).
Verify secrets without cutting a release:

2
workplans/kaizen-agentic-WP-0005-adoption-parity.md
View File

@@ -38,7 +38,7 @@ Confirm tag-triggered publication works end-to-end before the v1.2.0 cut.
### Tasks
- [x] T01 — Configure `PACKAGE_USER` (`tegwick`) and `PACKAGE_TOKEN` (OpenBao `inter-hub-pkg-rep` token) in Gitea
- [ ] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch`
- [x] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch` (auth OK; 409 on re-upload of 1.1.0)
- [x] T03 — Add pre-tag release checklist to `docs/PACKAGE_RELEASE.md` (secrets, `make package-check`, tag format)
### Definition of done