fix(ci): push the chart with the Actions token, not the app token#553
Merged
Conversation
The chart push 403'd on the first publish: GHCR package creation requires the repo's own GITHUB_TOKEN (which auto-links the new package); the bot app token cannot create ghcr.io/misospace/charts/*. Add packages:write to the job.
Contributor
There was a problem hiding this comment.
AI Automated Review
Full PR review.
Analysis engine: self-hosted@https://litellm.jory.dev/v1 (openai) — primary route
Recommendation
Approve — This is a targeted, well-documented fix for a real CI failure.
Change Summary
This PR fixes the Helm chart publishing step in .github/workflows/publish-release.yml by:
- Adding
packages: writepermission to the job permissions block (required for GHCR package operations) - Switching from app token to Actions token (
${{ secrets.GITHUB_TOKEN }}) for the chart push step, with an explanatory comment documenting why the app token fails (403 on first-time package creation in GHCR)
Findings
Verified
- Root cause alignment: The PR body correctly identifies that GHCR package creation requires the repository's own Actions token, not a GitHub App installation token. This is consistent with GitHub's documented behavior for OCI registry operations.
- Permission scope: Adding
packages: writeis necessary and appropriately scoped — it only affects this job and is required for the chart push to succeed. - Minimal change surface: Only 6 lines changed across a single workflow file. No application code, secrets, or configuration files touched.
- CI status: All checks passed (Build, Tests, Lint, Typecheck, Docker Build). The
publish-releasecheck was correctly skipped since this is a PR, not a merged release. - Consistency with existing patterns: The image publishing workflow already uses the Actions token successfully, as noted in the PR description.
Standards Compliance
- ✅ No secrets committed
- ✅ Follows repository CI conventions
- ✅ Clear inline documentation explaining the token choice
- ✅ No agent-specific naming violations
Linked Issue Fit
No linked issue — this is a direct fix for an observed CI failure (v0.5.18 chart push 403).
Notes
The verification approach noted in the PR body (re-running the failed publish-release or cutting v0.5.19) is appropriate since this change can only be validated during an actual release workflow execution.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
secrets.GITHUB_TOKEN(+ jobpackages: write) instead of the bot app token.v0.5.18's chart push died
403 ForbiddenonPOST …/misospace/charts/dispatch/blobs/uploads/— first-time GHCR package creation needs the repo's own Actions token (which auto-links the package to the repo); the app token can't create it. The image pushes already use the Actions token, which is why they've always worked.Verification