Skip to content

fix(ci): push the chart with the Actions token, not the app token#553

Merged
joryirving merged 1 commit into
mainfrom
fix/chart-push-token
Jul 2, 2026
Merged

fix(ci): push the chart with the Actions token, not the app token#553
joryirving merged 1 commit into
mainfrom
fix/chart-push-token

Conversation

@joryirving

Copy link
Copy Markdown
Contributor

Summary

  • Chart-publish step uses secrets.GITHUB_TOKEN (+ job packages: write) instead of the bot app token.

v0.5.18's chart push died 403 Forbidden on POST …/misospace/charts/dispatch/blobs/uploads/ — first-time GHCR package creation needs the repo's own Actions token (which auto-links the package to the repo); the app token can't create it. The image pushes already use the Actions token, which is why they've always worked.

Verification

  • Not run — validated by re-running the chart publish after merge (rerun the failed publish-release run or cut 0.5.19).

The chart push 403'd on the first publish: GHCR package creation
requires the repo's own GITHUB_TOKEN (which auto-links the new
package); the bot app token cannot create ghcr.io/misospace/charts/*.
Add packages:write to the job.
@joryirving joryirving enabled auto-merge (squash) July 2, 2026 20:13
@joryirving joryirving merged commit f0a5145 into main Jul 2, 2026
6 checks passed
@joryirving joryirving deleted the fix/chart-push-token branch July 2, 2026 20:14

@its-saffron its-saffron Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI Automated Review

Full PR review.

Analysis engine: self-hosted@https://litellm.jory.dev/v1 (openai) — primary route

Recommendation

Approve — This is a targeted, well-documented fix for a real CI failure.

Change Summary

This PR fixes the Helm chart publishing step in .github/workflows/publish-release.yml by:

  1. Adding packages: write permission to the job permissions block (required for GHCR package operations)
  2. Switching from app token to Actions token (${{ secrets.GITHUB_TOKEN }}) for the chart push step, with an explanatory comment documenting why the app token fails (403 on first-time package creation in GHCR)

Findings

Verified

  • Root cause alignment: The PR body correctly identifies that GHCR package creation requires the repository's own Actions token, not a GitHub App installation token. This is consistent with GitHub's documented behavior for OCI registry operations.
  • Permission scope: Adding packages: write is necessary and appropriately scoped — it only affects this job and is required for the chart push to succeed.
  • Minimal change surface: Only 6 lines changed across a single workflow file. No application code, secrets, or configuration files touched.
  • CI status: All checks passed (Build, Tests, Lint, Typecheck, Docker Build). The publish-release check was correctly skipped since this is a PR, not a merged release.
  • Consistency with existing patterns: The image publishing workflow already uses the Actions token successfully, as noted in the PR description.

Standards Compliance

  • ✅ No secrets committed
  • ✅ Follows repository CI conventions
  • ✅ Clear inline documentation explaining the token choice
  • ✅ No agent-specific naming violations

Linked Issue Fit

No linked issue — this is a direct fix for an observed CI failure (v0.5.18 chart push 403).

Notes

The verification approach noted in the PR body (re-running the failed publish-release or cutting v0.5.19) is appropriate since this change can only be validated during an actual release workflow execution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant