From 1c0c9accd95139a3263ba6ce76b9ec269967a628 Mon Sep 17 00:00:00 2001 From: tegwick Date: Wed, 17 Jun 2026 00:14:24 +0200 Subject: [PATCH] =?UTF-8?q?fix:=20publish=20workflow=20auth=20=E2=80=94=20?= =?UTF-8?q?tegwick=20user,=20OpenBao=20token,=20explicit=20twine=20creds?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit inter-hub-pkg-rep is the Gitea token name (not a username). PACKAGE_USER is tegwick; token custody is OpenBao platform/operators/inter-hub/package-management. Disable keyring in CI and pass twine --username/--password explicitly. --- .gitea/workflows/publish-python-package.yml | 4 ++++ docs/PACKAGE_RELEASE.md | 13 +++++++------ workplans/kaizen-agentic-WP-0005-adoption-parity.md | 2 +- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/.gitea/workflows/publish-python-package.yml b/.gitea/workflows/publish-python-package.yml index c37e4fe..025be84 100644 --- a/.gitea/workflows/publish-python-package.yml +++ b/.gitea/workflows/publish-python-package.yml @@ -25,6 +25,7 @@ jobs: env: TWINE_USERNAME: ${{ secrets.PACKAGE_USER }} TWINE_PASSWORD: ${{ secrets.PACKAGE_TOKEN }} + PYTHON_KEYRING_BACKEND: keyring.backends.null.Keyring run: | cd repo python3 -m venv .build-venv @@ -33,5 +34,8 @@ jobs: python -m build python -m twine check dist/* python -m twine upload \ + --username "${TWINE_USERNAME}" \ + --password "${TWINE_PASSWORD}" \ + --non-interactive \ --repository-url https://gitea.coulomb.social/api/packages/coulomb/pypi \ dist/* diff --git a/docs/PACKAGE_RELEASE.md b/docs/PACKAGE_RELEASE.md index f15b753..abb5193 100644 --- a/docs/PACKAGE_RELEASE.md +++ b/docs/PACKAGE_RELEASE.md @@ -60,8 +60,8 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**. | Secret | Value | |--------|-------| -| `PACKAGE_USER` | `inter-hub-pkg-rep` — forge package-publish service account | -| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` with `write:package` scope | +| `PACKAGE_USER` | `tegwick` — Gitea username that owns the package token | +| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` (`write:package`); custody in OpenBao at `platform/data/operators/inter-hub/package-management` (field `inter-hub-pkg-rep`) | Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN` (not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone` @@ -70,10 +70,11 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK The publish workflow fails at the upload step when either secret is missing or invalid. Do not commit tokens to the repository. -**Smoke-test result (2026-06-16):** run #17 built and passed `twine check`; upload -returned `401` when `PACKAGE_USER` did not match the token owner. Use the -`inter-hub-pkg-rep` service account and its API token for both secrets. Build -step uses `.build-venv` (PEP 668 safe on haskelseed). +**Smoke-test notes (2026-06-16):** `inter-hub-pkg-rep` is the **token name**, not a +Gitea user. `PACKAGE_USER` must be `tegwick`. Token value lives in OpenBao +(`platform/operators/inter-hub/package-management`, key `inter-hub-pkg-rep`). +Earlier `401` failures used the wrong token (`GITEA_API_TOKEN` ≠ package token). +Build step uses `.build-venv` (PEP 668 safe on haskelseed). Verify secrets without cutting a release: diff --git a/workplans/kaizen-agentic-WP-0005-adoption-parity.md b/workplans/kaizen-agentic-WP-0005-adoption-parity.md index aeba0c1..9e87d06 100644 --- a/workplans/kaizen-agentic-WP-0005-adoption-parity.md +++ b/workplans/kaizen-agentic-WP-0005-adoption-parity.md @@ -37,7 +37,7 @@ Confirm tag-triggered publication works end-to-end before the v1.2.0 cut. ### Tasks -- [x] T01 — Configure `PACKAGE_USER` (`inter-hub-pkg-rep`) and `PACKAGE_TOKEN` (inter-hub-pkg-rep API token) in Gitea +- [x] T01 — Configure `PACKAGE_USER` (`tegwick`) and `PACKAGE_TOKEN` (OpenBao `inter-hub-pkg-rep` token) in Gitea - [ ] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch` - [x] T03 — Add pre-tag release checklist to `docs/PACKAGE_RELEASE.md` (secrets, `make package-check`, tag format)