From fc34134bd8d646aa58794f783b37628b9905d200 Mon Sep 17 00:00:00 2001
From: Yuan <20144414+baskduf@users.noreply.github.com>
Date: Thu, 18 Jun 2026 15:49:46 +0900
Subject: [PATCH] ci: fix pinned FABLE source fetch

---
 .github/workflows/ci.yml |  6 +-----
 tests/test_scripts.py    | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7ef1868..5cd3fba 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -42,8 +42,6 @@ jobs:
           sh -n plugins/codex-fable5/bin/codex-goals
 
       - name: Fetch pinned FABLE-5 source
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -euo pipefail
           mkdir -p build/fable5
@@ -51,9 +49,7 @@ jobs:
           # commit SHA from the matrix's source note for explicit traceability.
           PIN="dc626fed52b06d687cdc812d51090c95ed03d575"
           curl -fsSL \
-            -H "Authorization: Bearer ${GH_TOKEN}" \
-            -H "Accept: application/vnd.github.raw" \
-            "https://api.github.com/repos/elder-plinius/CL4R1T4S/contents/ANTHROPIC/CLAUDE-FABLE-5.md?ref=${PIN}" \
+            "https://raw.githubusercontent.com/elder-plinius/CL4R1T4S/${PIN}/ANTHROPIC/CLAUDE-FABLE-5.md" \
             -o build/fable5/CLAUDE-FABLE-5.md
           # Sanity check: file must contain a Fable 5 marker.
           grep -q "Fable 5" build/fable5/CLAUDE-FABLE-5.md \
diff --git a/tests/test_scripts.py b/tests/test_scripts.py
index 01e87ff..59e6bb8 100644
--- a/tests/test_scripts.py
+++ b/tests/test_scripts.py
@@ -293,6 +293,24 @@ def test_ci_workflow_validates_against_pinned_source(self) -> None:
         workflow = (ROOT / ".github" / "workflows" / "ci.yml").read_text(encoding="utf-8")
         self.assertIn("CLAUDE-FABLE-5.md", workflow)
         self.assertIn("elder-plinius/CL4R1T4S", workflow)
+        fetch_step = re.search(
+            r"      - name: Fetch pinned FABLE-5 source\n(?P<body>.*?)(?:\n      - name: |\Z)",
+            workflow,
+            re.DOTALL,
+        )
+        self.assertIsNotNone(fetch_step, "CI workflow must define the pinned source fetch step")
+        assert fetch_step is not None  # for type checkers
+        fetch_step_body = fetch_step.group("body")
+        self.assertIn(
+            "raw.githubusercontent.com/elder-plinius/CL4R1T4S/${PIN}/ANTHROPIC/CLAUDE-FABLE-5.md",
+            fetch_step_body,
+            "CI should fetch the public pinned source directly, matching the release checklist",
+        )
+        self.assertNotIn(
+            "Authorization: Bearer",
+            fetch_step_body,
+            "CI source fetch should not rely on a hand-built Authorization header; malformed quoting can hide curl failures",
+        )
         pin_match = re.search(r'PIN="([0-9a-f]{40})"', workflow)
         self.assertIsNotNone(pin_match, "CI workflow must define the pinned upstream SHA")
         assert pin_match is not None  # for type checkers