fix: use inter-hub-pkg-rep for Gitea publish auth (WP-0005 T02)
Some checks failed
ci / test (push) Failing after 39s

Wire PACKAGE_USER into git clone URL and document inter-hub-pkg-rep as the
forge package-publish service account for PACKAGE_USER/PACKAGE_TOKEN.
This commit is contained in:
2026-06-16 23:18:36 +02:00
parent 47b743a074
commit cb068cc2b5
3 changed files with 9 additions and 9 deletions

View File

@@ -12,10 +12,11 @@ jobs:
steps: steps:
- name: Check out source - name: Check out source
env: env:
PACKAGE_USER: ${{ secrets.PACKAGE_USER }}
PACKAGE_TOKEN: ${{ secrets.PACKAGE_TOKEN }} PACKAGE_TOKEN: ${{ secrets.PACKAGE_TOKEN }}
run: | run: |
git clone --depth 1 \ git clone --depth 1 \
"https://tegwick:${PACKAGE_TOKEN}@gitea.coulomb.social/coulomb/kaizen-agentic.git" \ "https://${PACKAGE_USER}:${PACKAGE_TOKEN}@gitea.coulomb.social/coulomb/kaizen-agentic.git" \
repo repo
cd repo cd repo
git checkout "${{ gitea.sha }}" git checkout "${{ gitea.sha }}"

View File

@@ -60,8 +60,8 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**.
| Secret | Value | | Secret | Value |
|--------|-------| |--------|-------|
| `PACKAGE_USER` | Gitea username with package upload permission (e.g. `tegwick`) | | `PACKAGE_USER` | `inter-hub-pkg-rep` — forge package-publish service account |
| `PACKAGE_TOKEN` | Gitea API token with `write:package` scope | | `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` with `write:package` scope |
Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN` Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN`
(not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone` (not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone`
@@ -70,11 +70,10 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
The publish workflow fails at the upload step when either secret is missing or The publish workflow fails at the upload step when either secret is missing or
invalid. Do not commit tokens to the repository. invalid. Do not commit tokens to the repository.
**Smoke-test result (2026-06-16):** `workflow_dispatch` run #17 built and passed **Smoke-test result (2026-06-16):** run #17 built and passed `twine check`; upload
`twine check`; upload returned `401 Unauthorized`. That indicates returned `401` when `PACKAGE_USER` did not match the token owner. Use the
`PACKAGE_USER` / `PACKAGE_TOKEN` repo secrets need verification (token must `inter-hub-pkg-rep` service account and its API token for both secrets. Build
include `write:package`, username must match the token owner). Build step uses step uses `.build-venv` (PEP 668 safe on haskelseed).
`.build-venv` and is PEP 668 safe on haskelseed.
Verify secrets without cutting a release: Verify secrets without cutting a release:

View File

@@ -37,7 +37,7 @@ Confirm tag-triggered publication works end-to-end before the v1.2.0 cut.
### Tasks ### Tasks
- [x] T01 — Configure `PACKAGE_USER` and `PACKAGE_TOKEN` secrets in Gitea (Gitea rejects `GITEA_*` secret names) - [x] T01 — Configure `PACKAGE_USER` (`inter-hub-pkg-rep`) and `PACKAGE_TOKEN` (inter-hub-pkg-rep API token) in Gitea
- [ ] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch` - [ ] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch`
- [x] T03 — Add pre-tag release checklist to `docs/PACKAGE_RELEASE.md` (secrets, `make package-check`, tag format) - [x] T03 — Add pre-tag release checklist to `docs/PACKAGE_RELEASE.md` (secrets, `make package-check`, tag format)