From 2a03eed0129c17ebe5386781c038b6eed1d0cf63 Mon Sep 17 00:00:00 2001 From: tegwick Date: Tue, 16 Jun 2026 03:13:01 +0200 Subject: [PATCH] fix: Gitea Actions use haskelseed runner and PACKAGE_* secrets ubuntu-latest never matched the self-hosted runner; Gitea also rejects GITEA_-prefixed secret names. Wire publish workflow to PACKAGE_USER/TOKEN. --- .gitea/workflows/ci.yml | 2 +- .gitea/workflows/publish-python-package.yml | 6 +++--- docs/PACKAGE_RELEASE.md | 9 ++++++--- workplans/kaizen-agentic-WP-0005-adoption-parity.md | 4 ++-- 4 files changed, 12 insertions(+), 9 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 6a4d3d5..fb89afb 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -8,7 +8,7 @@ on: jobs: test: - runs-on: ubuntu-latest + runs-on: haskelseed strategy: matrix: python-version: ["3.10", "3.12"] diff --git a/.gitea/workflows/publish-python-package.yml b/.gitea/workflows/publish-python-package.yml index f0cfbcd..5923dba 100644 --- a/.gitea/workflows/publish-python-package.yml +++ b/.gitea/workflows/publish-python-package.yml @@ -8,7 +8,7 @@ on: jobs: publish: - runs-on: ubuntu-latest + runs-on: haskelseed steps: - name: Check out source uses: actions/checkout@v4 @@ -29,8 +29,8 @@ jobs: - name: Upload to Gitea PyPI env: - TWINE_USERNAME: ${{ secrets.GITEA_PACKAGE_USER }} - TWINE_PASSWORD: ${{ secrets.GITEA_PACKAGE_TOKEN }} + TWINE_USERNAME: ${{ secrets.PACKAGE_USER }} + TWINE_PASSWORD: ${{ secrets.PACKAGE_TOKEN }} run: >- python -m twine upload --repository-url https://gitea.coulomb.social/api/packages/coulomb/pypi diff --git a/docs/PACKAGE_RELEASE.md b/docs/PACKAGE_RELEASE.md index 16b1897..7093519 100644 --- a/docs/PACKAGE_RELEASE.md +++ b/docs/PACKAGE_RELEASE.md @@ -60,8 +60,11 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**. | Secret | Value | |--------|-------| -| `GITEA_PACKAGE_USER` | Gitea username with package upload permission (e.g. `tegwick`) | -| `GITEA_PACKAGE_TOKEN` | Gitea API token with `write:package` scope | +| `PACKAGE_USER` | Gitea username with package upload permission (e.g. `tegwick`) | +| `PACKAGE_TOKEN` | Gitea API token with `write:package` scope | + +Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN` +(not `GITEA_PACKAGE_USER`). The publish workflow fails at the upload step when either secret is missing or invalid. Do not commit tokens to the repository. @@ -79,7 +82,7 @@ Before `git tag vX.Y.Z && git push origin vX.Y.Z`: - [ ] `make release-check` passes (tests, flake8, version consistency, agent parity) - [ ] `make package-check` builds and validates `dist/*` - [ ] `CHANGELOG.md` has a dated `[X.Y.Z]` section matching `pyproject.toml` -- [ ] `GITEA_PACKAGE_USER` and `GITEA_PACKAGE_TOKEN` secrets are set +- [ ] `PACKAGE_USER` and `PACKAGE_TOKEN` secrets are set - [ ] Publish workflow smoke-tested via `workflow_dispatch` (or prior tag release) - [ ] `make agents-sync-package` run if `agents/` changed since last release diff --git a/workplans/kaizen-agentic-WP-0005-adoption-parity.md b/workplans/kaizen-agentic-WP-0005-adoption-parity.md index ff59144..79f1ef4 100644 --- a/workplans/kaizen-agentic-WP-0005-adoption-parity.md +++ b/workplans/kaizen-agentic-WP-0005-adoption-parity.md @@ -37,8 +37,8 @@ Confirm tag-triggered publication works end-to-end before the v1.2.0 cut. ### Tasks -- [ ] T01 — Configure `GITEA_PACKAGE_USER` and `GITEA_PACKAGE_TOKEN` secrets in Gitea repo settings (document checklist in `docs/PACKAGE_RELEASE.md`) -- [ ] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch` (run #7 dispatched 2026-06-16; queued pending runner) +- [x] T01 — Configure `PACKAGE_USER` and `PACKAGE_TOKEN` secrets in Gitea (Gitea rejects `GITEA_*` secret names) +- [ ] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch` - [x] T03 — Add pre-tag release checklist to `docs/PACKAGE_RELEASE.md` (secrets, `make package-check`, tag format) ### Definition of done