fix: push external-update state with state token, not bot#203
Merged
Conversation
The generated external-update receiver checked out with a hardcoded
${{ secrets.GITHUB_TOKEN }}, so its manifest push ran as
github-actions[bot]. On a primary repo whose trunk has required pull
request reviews, that identity is blocked even with enforce_admins
disabled, so external-update failed with a swallowed protected-branch
rejection. The other state-writers (orchestrate, promote, hotfix) check
out with the configured state token and bypass protection.
- external.go: check out the receiver with the state token (falls back
to GITHUB_TOKEN when state_token is unset) and fetch-depth: 0, for
parity with the other state-writers.
- command.go: include the captured push output in the failure error so a
rejected push is diagnosable instead of opaque.
- external.go: default the receiver concurrency group to the same
ref-scoped key orchestrate uses, with cancel-in-progress false, so
external and internal state writes serialize on one queue and an
incoming notification never cancels a live pipeline.
Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The generated external-update receiver checked out with a hardcoded
${{ secrets.GITHUB_TOKEN }}, so its manifestgit pushran asgithub-actions[bot]. On a primary repo whose trunk hasrequired_pull_request_reviews, that identity is blocked by the PR-review rule even withenforce_adminsdisabled (which only exempts admin users). External-update was the only state-writer using the bot; orchestrate, promote, and hotfix check out with the configured state token and bypass protection. The push failure was also opaque because the push output was discarded, so the underlying protected-branch rejection never surfaced.Fix
internal/generate/external.go): the receiver now checks out with the state token (g.config.GetStateToken()), the same accessor orchestrate/promote/hotfix use, withfetch-depth: 0for parity. Falls back toGITHUB_TOKENwhenstate_tokenis unset (back-compat).internal/external/command.go): the captured push output is now included in the failure error.internal/generate/external.go): the receiver concurrency group defaults to the same ref-scoped key orchestrate serializes on (orchestrate-${{ github.ref }}), withcancel-in-progress: false, so external and internal state writes serialize on one queue and an incoming notification never cancels a live pipeline. An explicitconcurrency.groupis still honored.This is record-only behavior; deploy-on-update is a separate, deferred capability and is not implemented here.
Verification
go build ./...,go test ./...(1406 pass),golangci-lint run ./...(0 issues) all green.fetch-depth: 0; back-compat default to GITHUB_TOKEN; default concurrency group shares orchestrate's queue and is non-cancelling; push failure surfaces the captured output.