fix: publish workflow auth — tegwick user, OpenBao token, explicit twine creds
Some checks failed
ci / test (push) Failing after 37s
Some checks failed
ci / test (push) Failing after 37s
inter-hub-pkg-rep is the Gitea token name (not a username). PACKAGE_USER is tegwick; token custody is OpenBao platform/operators/inter-hub/package-management. Disable keyring in CI and pass twine --username/--password explicitly.
This commit is contained in:
@@ -60,8 +60,8 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**.
|
||||
|
||||
| Secret | Value |
|
||||
|--------|-------|
|
||||
| `PACKAGE_USER` | `inter-hub-pkg-rep` — forge package-publish service account |
|
||||
| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` with `write:package` scope |
|
||||
| `PACKAGE_USER` | `tegwick` — Gitea username that owns the package token |
|
||||
| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` (`write:package`); custody in OpenBao at `platform/data/operators/inter-hub/package-management` (field `inter-hub-pkg-rep`) |
|
||||
|
||||
Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN`
|
||||
(not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone`
|
||||
@@ -70,10 +70,11 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
|
||||
The publish workflow fails at the upload step when either secret is missing or
|
||||
invalid. Do not commit tokens to the repository.
|
||||
|
||||
**Smoke-test result (2026-06-16):** run #17 built and passed `twine check`; upload
|
||||
returned `401` when `PACKAGE_USER` did not match the token owner. Use the
|
||||
`inter-hub-pkg-rep` service account and its API token for both secrets. Build
|
||||
step uses `.build-venv` (PEP 668 safe on haskelseed).
|
||||
**Smoke-test notes (2026-06-16):** `inter-hub-pkg-rep` is the **token name**, not a
|
||||
Gitea user. `PACKAGE_USER` must be `tegwick`. Token value lives in OpenBao
|
||||
(`platform/operators/inter-hub/package-management`, key `inter-hub-pkg-rep`).
|
||||
Earlier `401` failures used the wrong token (`GITEA_API_TOKEN` ≠ package token).
|
||||
Build step uses `.build-venv` (PEP 668 safe on haskelseed).
|
||||
|
||||
Verify secrets without cutting a release:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user