fix: embed GH_TOKEN in clone URL so initial clone authenticates#77
Merged
Justus-at-Tazama merged 3 commits intodevfrom Apr 7, 2026
Merged
fix: embed GH_TOKEN in clone URL so initial clone authenticates#77Justus-at-Tazama merged 3 commits intodevfrom
Justus-at-Tazama merged 3 commits intodevfrom
Conversation
Sync 17 canonical workflow files from tazama-lf/workflows. branch-target-check.yml was already up to date. Changes applied across all synced files: - Pin all action SHAs (checkout v6.0.2, setup-node v6.3.0, codeql v4.35.1, scorecard-action v2.4.3, upload-artifact v7.0.0, etc.) - gpg-verify.yml: fix inverted git log range, replace circular check-runs API call with commit verification endpoint, add github-actions[bot] exclusion, guard empty commit range - scorecard.yml: remove dev from push.branches trigger (ossf/scorecard-action enforces default branch only) - package-rule-rc.yml / package-rule.yml: pull latest reusable workflow logic - node.js.yml, conventional-commits.yml, dco-check.yml, etc.: pin SHAs publish.yml / release-train.yml synced with improvements only (scope and org references kept as @frmscoe): - Pin checkout and setup-node SHAs - publish.yml: use node -p instead of jq, add continue-on-error to Slack step, use curl --fail -sS - release-train.yml: add GH_USERNAME env var, use \ instead of inline secret reference (prevents injection) Signed-off-by: Justus-at-Tazama <jortlepp@contractor.linuxfoundation.org>
- Add concurrency block: cancel-in-progress prevents parallel sync runs - Pin actions/checkout to SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2) - Remove manual gh CLI install step (pre-installed on ubuntu-latest; v2.14.7 was 2 years out of date) - Add SSH commit signing (base64-encoded SSH_SIGNING_KEY secret, same Justus-at-Tazama identity as tazama-lf/workflows). Fails fast if secret is missing or key is invalid. - Fix Get actor details: previous version called pulls API on push/ workflow_dispatch events where pull_request.number is empty; add fallback to github.actor for non-PR triggers - Fix branch strategy: delete and recreate sync-workflows-update each run instead of checkout+pull (avoids accumulating stale changes) - Add dev branch existence check: create from default branch if absent - Add missing cd .. at end of loop (latent bug: loop was broken after first repo) - Fix PR token handling: remove echo-to-file + gh auth login + unset pattern; GH_TOKEN env var used directly (gh CLI picks it up automatically) - Fix PR body: use variable instead of inline interpolation; use two-arg commit message (-m msg -m body) instead of concatenation - Change PR_REVIEWERS source: vars.PR_REVIEWERS -> secrets.GH_USERNAME (consistent with tazama-lf/workflows) - Add publish.yml / version-check.yml / release-train.yml exclusion: these are library-only and should not be copied to rule repos Signed-off-by: Justus-at-Tazama <jortlepp@contractor.linuxfoundation.org>
Signed-off-by: Justus-at-Tazama <jortlepp@contractor.linuxfoundation.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The bare \git clone https://github.com/frmscoe/\.git\ fails with exit code 128 because there are no credentials. The \git remote set-url\ that injects the token only runs after a successful clone. Fix: embed the token in the clone URL directly.