fix(ci): use VARIABLES_WRITE_TOKEN for V1_LATEST_TAG update#126
Merged
fix(ci): use VARIABLES_WRITE_TOKEN for V1_LATEST_TAG update#126
Conversation
Remove the invalid 'variables: write' permission (no such permission exists in GitHub Actions) and switch the V1_LATEST_TAG update step to use secrets.VARIABLES_WRITE_TOKEN instead of the default github.token, which cannot modify repository Actions variables. Requires VARIABLES_WRITE_TOKEN to be configured as a fine-grained PAT scoped to augmentcode/auggie with Metadata: read and Variables: read/write.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
|
PR Risk Analysis 🛡️ · Human Input Needed Input Needed
👉 Start Focused ReviewReview scoped to the topics above. Prefer a full review instead?👉 Start General Review JustificationThe diff is small and matches the description, but it touches `.github/` (always-review) and changes a release workflow's token/secret model — releases and secret trust boundaries warrant human judgment. *Memory (seen 1×; last PR-125; permanent): the prior workflow was flagged for using `github.token` against the Actions variables API and a fine-grained PAT was suggested; this PR implements that, but provisioning of `VARIABLES_WRITE_TOKEN` is out of band and a human should confirm it lands before a stable release runs.*👍 / 👎 Was this risk analysis helpful? React to this comment with your feedback. |
![augment-app-staging[bot]](https://avatars.githubusercontent.com/in/1008152?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix stable releases so the
V1_LATEST_TAGActions repository variable canactually be updated by the
releasejob in.github/workflows/bun-compile.yml.Two minimal workflow changes:
variables: writeentry from the job'spermissionsblock. There is novariablespermission in GitHubActions; its presence makes the release job definition invalid.
github.tokentosecrets.VARIABLES_WRITE_TOKEN. The defaultGITHUB_TOKENcannot modify Actions repository variables regardlessof the
permissionsblock.Root cause
GITHUB_TOKENdoes not grant access toPATCH /repos/{owner}/{repo}/actions/variables/{name}.The previous workflow attempted to compensate with
permissions: variables: write, which is not a real GitHub Actionspermission and therefore had no effect. As a result, the
Update V1_LATEST_TAG variablestep in stable releases would alwaysfail to update the variable.
The supported approach for writing Actions variables is to authenticate
with a fine-grained PAT (or a GitHub App installation token) that has
explicit
Variables: read and writeaccess on the repository.Verification
git diffreviewed: only the two intended lines change in.github/workflows/bun-compile.yml(+1 / -2).python3 -c "import yaml; yaml.safe_load(open('.github/workflows/bun-compile.yml'))"parses successfully.
actionlint .github/workflows/bun-compile.ymlreports no findings.End-to-end runtime verification (the variable actually being updated by
a real stable release run) requires the secret described in
Required setup to be present in repository settings. Provisioning
that secret is intentionally out of scope for this PR.
Required setup
Before this workflow can update
V1_LATEST_TAGend-to-end, thefollowing must be configured in
augmentcode/auggie(out of band, notin this PR):
VARIABLES_WRITE_TOKENaugmentcode/auggie(Settings → Secrets and variables → Actions → Repository secrets).
Organization-level or environment-level Actions secrets that are made
available to this repository under the same name are also acceptable;
do not store this token as an Actions variable or as a
Dependabot/Codespaces secret.
App installation token exposed via secret with the same scopes is an
acceptable equivalent.
augmentcode.augmentcode/auggie(do not select"All repositories").
Metadata: Read-only (mandatory for any fine-grained PAT).Variables: Read and write.This PR does not provision, rotate, or reveal any token value.
Out of scope
VARIABLES_WRITE_TOKENsecret value.
V1_LATEST_TAGActions variable.