coulomb/kaizen-agentic
2
0
Fork 0
Code Issues 4 Pull Requests Actions Projects Releases Wiki Activity

fix: use inter-hub-pkg-rep for Gitea publish auth (WP-0005 T02)
Some checks failed
ci / test (push) Failing after 39s
Details

Browse Source 
Wire PACKAGE_USER into git clone URL and document inter-hub-pkg-rep as the
forge package-publish service account for PACKAGE_USER/PACKAGE_TOKEN.
This commit is contained in:
Bernd Worsch
2026-06-16 23:18:36 +02:00
parent 47b743a074
commit cb068cc2b5
3 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitea/workflows/publish-python-package.yml
View File

@@ -12,10 +12,11 @@ jobs:
steps:
- name: Check out source
env:
PACKAGE_USER: ${{ secrets.PACKAGE_USER }}
PACKAGE_TOKEN: ${{ secrets.PACKAGE_TOKEN }}
run: |
git clone --depth 1 \
"https://tegwick:${PACKAGE_TOKEN}@gitea.coulomb.social/coulomb/kaizen-agentic.git" \
"https://${PACKAGE_USER}:${PACKAGE_TOKEN}@gitea.coulomb.social/coulomb/kaizen-agentic.git" \
repo
cd repo
git checkout "${{ gitea.sha }}"

13
docs/PACKAGE_RELEASE.md
View File

@@ -60,8 +60,8 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**.
| Secret | Value |
|--------|-------|
| `PACKAGE_USER` | Gitea username with package upload permission (e.g. `tegwick`) |
| `PACKAGE_TOKEN` | Gitea API token with `write:package` scope |
| `PACKAGE_USER` | `inter-hub-pkg-rep` — forge package-publish service account |
| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` with `write:package` scope |
Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN`
(not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone`
@@ -70,11 +70,10 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
The publish workflow fails at the upload step when either secret is missing or
invalid. Do not commit tokens to the repository.
**Smoke-test result (2026-06-16):** `workflow_dispatch` run #17 built and passed
`twine check`; upload returned `401 Unauthorized`. That indicates
`PACKAGE_USER` / `PACKAGE_TOKEN` repo secrets need verification (token must
include `write:package`, username must match the token owner). Build step uses
`.build-venv` and is PEP 668 safe on haskelseed.
**Smoke-test result (2026-06-16):** run #17 built and passed `twine check`; upload
returned `401` when `PACKAGE_USER` did not match the token owner. Use the
`inter-hub-pkg-rep` service account and its API token for both secrets. Build
step uses `.build-venv` (PEP 668 safe on haskelseed).
Verify secrets without cutting a release:

2
workplans/kaizen-agentic-WP-0005-adoption-parity.md
View File

@@ -37,7 +37,7 @@ Confirm tag-triggered publication works end-to-end before the v1.2.0 cut.
### Tasks
- [x] T01 — Configure `PACKAGE_USER` and `PACKAGE_TOKEN` secrets in Gitea (Gitea rejects `GITEA_*` secret names)
- [x] T01 — Configure `PACKAGE_USER` (`inter-hub-pkg-rep`) and `PACKAGE_TOKEN` (inter-hub-pkg-rep API token) in Gitea
- [ ] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch`
- [x] T03 — Add pre-tag release checklist to `docs/PACKAGE_RELEASE.md` (secrets, `make package-check`, tag format)