fix: use inter-hub-pkg-rep for Gitea publish auth (WP-0005 T02)
Some checks failed
ci / test (push) Failing after 39s
Some checks failed
ci / test (push) Failing after 39s
Wire PACKAGE_USER into git clone URL and document inter-hub-pkg-rep as the forge package-publish service account for PACKAGE_USER/PACKAGE_TOKEN.
This commit is contained in:
@@ -12,10 +12,11 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Check out source
|
- name: Check out source
|
||||||
env:
|
env:
|
||||||
|
PACKAGE_USER: ${{ secrets.PACKAGE_USER }}
|
||||||
PACKAGE_TOKEN: ${{ secrets.PACKAGE_TOKEN }}
|
PACKAGE_TOKEN: ${{ secrets.PACKAGE_TOKEN }}
|
||||||
run: |
|
run: |
|
||||||
git clone --depth 1 \
|
git clone --depth 1 \
|
||||||
"https://tegwick:${PACKAGE_TOKEN}@gitea.coulomb.social/coulomb/kaizen-agentic.git" \
|
"https://${PACKAGE_USER}:${PACKAGE_TOKEN}@gitea.coulomb.social/coulomb/kaizen-agentic.git" \
|
||||||
repo
|
repo
|
||||||
cd repo
|
cd repo
|
||||||
git checkout "${{ gitea.sha }}"
|
git checkout "${{ gitea.sha }}"
|
||||||
|
|||||||
@@ -60,8 +60,8 @@ Configure in Gitea: **Repository → Settings → Actions → Secrets**.
|
|||||||
|
|
||||||
| Secret | Value |
|
| Secret | Value |
|
||||||
|--------|-------|
|
|--------|-------|
|
||||||
| `PACKAGE_USER` | Gitea username with package upload permission (e.g. `tegwick`) |
|
| `PACKAGE_USER` | `inter-hub-pkg-rep` — forge package-publish service account |
|
||||||
| `PACKAGE_TOKEN` | Gitea API token with `write:package` scope |
|
| `PACKAGE_TOKEN` | Gitea API token named `inter-hub-pkg-rep` with `write:package` scope |
|
||||||
|
|
||||||
Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN`
|
Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACKAGE_TOKEN`
|
||||||
(not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone`
|
(not `GITEA_PACKAGE_USER`). Workflows use `runs-on: haskelseed` and native `git clone`
|
||||||
@@ -70,11 +70,10 @@ Gitea rejects secret names prefixed with `GITEA_` — use `PACKAGE_USER` / `PACK
|
|||||||
The publish workflow fails at the upload step when either secret is missing or
|
The publish workflow fails at the upload step when either secret is missing or
|
||||||
invalid. Do not commit tokens to the repository.
|
invalid. Do not commit tokens to the repository.
|
||||||
|
|
||||||
**Smoke-test result (2026-06-16):** `workflow_dispatch` run #17 built and passed
|
**Smoke-test result (2026-06-16):** run #17 built and passed `twine check`; upload
|
||||||
`twine check`; upload returned `401 Unauthorized`. That indicates
|
returned `401` when `PACKAGE_USER` did not match the token owner. Use the
|
||||||
`PACKAGE_USER` / `PACKAGE_TOKEN` repo secrets need verification (token must
|
`inter-hub-pkg-rep` service account and its API token for both secrets. Build
|
||||||
include `write:package`, username must match the token owner). Build step uses
|
step uses `.build-venv` (PEP 668 safe on haskelseed).
|
||||||
`.build-venv` and is PEP 668 safe on haskelseed.
|
|
||||||
|
|
||||||
Verify secrets without cutting a release:
|
Verify secrets without cutting a release:
|
||||||
|
|
||||||
|
|||||||
@@ -37,7 +37,7 @@ Confirm tag-triggered publication works end-to-end before the v1.2.0 cut.
|
|||||||
|
|
||||||
### Tasks
|
### Tasks
|
||||||
|
|
||||||
- [x] T01 — Configure `PACKAGE_USER` and `PACKAGE_TOKEN` secrets in Gitea (Gitea rejects `GITEA_*` secret names)
|
- [x] T01 — Configure `PACKAGE_USER` (`inter-hub-pkg-rep`) and `PACKAGE_TOKEN` (inter-hub-pkg-rep API token) in Gitea
|
||||||
- [ ] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch`
|
- [ ] T02 — Smoke-test `.gitea/workflows/publish-python-package.yml` via `workflow_dispatch`
|
||||||
- [x] T03 — Add pre-tag release checklist to `docs/PACKAGE_RELEASE.md` (secrets, `make package-check`, tag format)
|
- [x] T03 — Add pre-tag release checklist to `docs/PACKAGE_RELEASE.md` (secrets, `make package-check`, tag format)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user