coulomb/kaizen-agentic
2
0
Fork 0
Code Issues 4 Pull Requests Actions Projects Releases Wiki Activity

docs: close WP-0005 T02 publish smoke-test after OpenBao token fix
Some checks failed
ci / test (push) Failing after 33s
Details

Browse Source 
Document tegwick + inter-hub-pkg-rep token custody, remove CI debug echo,
and record successful workflow_dispatch auth (409 on existing 1.1.0).
This commit is contained in:
Bernd Worsch
2026-06-17 00:34:19 +02:00
parent 1522f12130
commit 11a35d18d8
3 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docs/PACKAGE_RELEASE.md
View File

@@ -61,7 +61,17 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**.
| Secret | Value |
|--------|-------|
| `PACKAGE_USER` | `tegwick` — Gitea username that owns the package token |
| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` (`write:package`); custody in OpenBao at `platform/data/operators/inter-hub/package-management` (field `inter-hub-pkg-rep`) |
| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` (`write:package`) |
Token custody (OpenBao):
```text
platform/data/operators/inter-hub/package-management
→ field: inter-hub-pkg-rep
```
Paste the **plaintext** token into the Gitea secret UI. `inter-hub-pkg-rep` is the
token name in Gitea, not a username.
Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN`
(not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone`
@@ -70,11 +80,10 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
The publish workflow fails at the upload step when either secret is missing or
invalid. Do not commit tokens to the repository.
**Smoke-test notes (2026-06-16):** `inter-hub-pkg-rep` is the **token name**, not a
Gitea user. `PACKAGE_USER` must be `tegwick`. Token value lives in OpenBao
(`platform/operators/inter-hub/package-management`, key `inter-hub-pkg-rep`).
Earlier `401` failures used the wrong token (`GITEA_API_TOKEN` ≠ package token).
Build step uses `.build-venv` (PEP 668 safe on haskelseed).
**Smoke-test (2026-06-16):** `workflow_dispatch` run #3042 authenticated successfully
(`409 Conflict` on re-upload of `1.1.0` — expected). Root causes of earlier `401`s:
wrong token (`GITEA_API_TOKEN` ≠ package token), wrong username (`inter-hub-pkg-rep`
is a token name), and a stale org-level secret. Build uses `.build-venv` (PEP 668).
Verify secrets without cutting a release: