From f37ed93b145e5c559a42809e06ba6554258e95d5 Mon Sep 17 00:00:00 2001 From: Yusuke Watanabe Date: Sat, 6 Jun 2026 18:43:57 +0900 Subject: [PATCH] fix(ci,ps168): cla.yml uses GH_PERSONAL_ACCESS_TOKEN secret The CLA Assistant workflow's PAT secret is being renamed ecosystem-wide to `GH_PERSONAL_ACCESS_TOKEN` per operator directive. The new name uses the GH_ gh-CLI namespace because the natural GITHUB_* prefix is reserved by GitHub Actions on the secret-name surface. Two edits: - .github/workflows/cla.yml: secrets. -> secrets.GH_PERSONAL_ACCESS_TOKEN - pyproject.toml: [tool.scitex_dev.audit] ps168_secret_exceptions pins the exception inline so the audit passes on every scitex-dev version (the global allowlist update is on scitex-dev PR #122). --- .github/workflows/cla.yml | 2 +- pyproject.toml | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index f8990eba1..deb0c5898 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -20,7 +20,7 @@ jobs: uses: contributor-assistant/github-action@v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_PERSONAL_ACCESS_TOKEN }} + PERSONAL_ACCESS_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} with: path-to-signatures: "signatures/cla.json" path-to-document: "https://github.com/ywatanabe1989/scitex-dev/blob/main/CLA.md" diff --git a/pyproject.toml b/pyproject.toml index fd9a2ef18..615780229 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1320,3 +1320,15 @@ quote-style = "double" indent-style = "space" skip-magic-trailing-comma = false line-ending = "auto" + +[tool.scitex_dev.audit] +# PS-168 — Per-package secret + env-var prefix in GitHub Actions workflows. +# `GH_PERSONAL_ACCESS_TOKEN` is the ecosystem-wide cross-cutting PAT used +# by the contributor-assistant CLA action. The natural GITHUB_* namespace +# is reserved by GitHub Actions on the secret-name surface (HTTP 422 on +# every `gh secret set`), so the GH_ shorthand is the canonical +# substitute and is registered ecosystem-wide via PR #122 on scitex-dev +# (EXCEPTION_SECRETS_DEFAULT). This per-package entry pins the same +# exception inline so the audit passes on every scitex-dev version, +# independent of release timing. +ps168_secret_exceptions = ["GH_PERSONAL_ACCESS_TOKEN"]