From 11a35d18d8bfa532aea3b852c0c4951363943d16 Mon Sep 17 00:00:00 2001 From: tegwick Date: Wed, 17 Jun 2026 00:34:19 +0200 Subject: [PATCH] docs: close WP-0005 T02 publish smoke-test after OpenBao token fix Document tegwick + inter-hub-pkg-rep token custody, remove CI debug echo, and record successful workflow_dispatch auth (409 on existing 1.1.0). --- .gitea/workflows/publish-python-package.yml | 1 - docs/PACKAGE_RELEASE.md | 21 +++++++++++++------ .../kaizen-agentic-WP-0005-adoption-parity.md | 2 +- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/.gitea/workflows/publish-python-package.yml b/.gitea/workflows/publish-python-package.yml index ccfc3ab..025be84 100644 --- a/.gitea/workflows/publish-python-package.yml +++ b/.gitea/workflows/publish-python-package.yml @@ -27,7 +27,6 @@ jobs: TWINE_PASSWORD: ${{ secrets.PACKAGE_TOKEN }} PYTHON_KEYRING_BACKEND: keyring.backends.null.Keyring run: | - echo "twine_user=${TWINE_USERNAME} token_len=${#TWINE_PASSWORD}" cd repo python3 -m venv .build-venv . .build-venv/bin/activate diff --git a/docs/PACKAGE_RELEASE.md b/docs/PACKAGE_RELEASE.md index abb5193..3667250 100644 --- a/docs/PACKAGE_RELEASE.md +++ b/docs/PACKAGE_RELEASE.md @@ -61,7 +61,17 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**. | Secret | Value | |--------|-------| | `PACKAGE_USER` | `tegwick` — Gitea username that owns the package token | -| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` (`write:package`); custody in OpenBao at `platform/data/operators/inter-hub/package-management` (field `inter-hub-pkg-rep`) | +| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` (`write:package`) | + +Token custody (OpenBao): + +```text +platform/data/operators/inter-hub/package-management + → field: inter-hub-pkg-rep +``` + +Paste the **plaintext** token into the Gitea secret UI. `inter-hub-pkg-rep` is the +token name in Gitea, not a username. Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN` (not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone` @@ -70,11 +80,10 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK The publish workflow fails at the upload step when either secret is missing or invalid. Do not commit tokens to the repository. -**Smoke-test notes (2026-06-16):** `inter-hub-pkg-rep` is the **token name**, not a -Gitea user. `PACKAGE_USER` must be `tegwick`. Token value lives in OpenBao -(`platform/operators/inter-hub/package-management`, key `inter-hub-pkg-rep`). -Earlier `401` failures used the wrong token (`GITEA_API_TOKEN` ≠ package token). -Build step uses `.build-venv` (PEP 668 safe on haskelseed). +**Smoke-test (2026-06-16):** `workflow_dispatch` run #3042 authenticated successfully +(`409 Conflict` on re-upload of `1.1.0` — expected). Root causes of earlier `401`s: +wrong token (`GITEA_API_TOKEN` ≠ package token), wrong username (`inter-hub-pkg-rep` +is a token name), and a stale org-level secret. Build uses `.build-venv` (PEP 668). Verify secrets without cutting a release: diff --git a/workplans/kaizen-agentic-WP-0005-adoption-parity.md b/workplans/kaizen-agentic-WP-0005-adoption-parity.md index 9e87d06..af7238b 100644 --- a/workplans/kaizen-agentic-WP-0005-adoption-parity.md +++ b/workplans/kaizen-agentic-WP-0005-adoption-parity.md @@ -38,7 +38,7 @@ Confirm tag-triggered publication works end-to-end before the v1.2.0 cut. ### Tasks - [x] T01 — Configure `PACKAGE_USER` (`tegwick`) and `PACKAGE_TOKEN` (OpenBao `inter-hub-pkg-rep` token) in Gitea -- [ ] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch` +- [x] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch` (auth OK; 409 on re-upload of 1.1.0) - [x] T03 — Add pre-tag release checklist to `docs/PACKAGE_RELEASE.md` (secrets, `make package-check`, tag format) ### Definition of done