Skip to content

fix(workflow): add GH_TOKEN to gh CLI steps and split variable/label auth#7768

Merged
BYK merged 1 commit into
mainfrom
fix/ci-poller-gh-token
Apr 10, 2026
Merged

fix(workflow): add GH_TOKEN to gh CLI steps and split variable/label auth#7768
BYK merged 1 commit into
mainfrom
fix/ci-poller-gh-token

Conversation

@BYK

@BYK BYK commented Apr 10, 2026

Copy link
Copy Markdown
Member

Summary

Fix CI poller and waiting-for-ci workflows failing because:

  1. gh CLI requires GH_TOKEN to be set explicitly in GitHub Actions
  2. GITHUB_TOKEN cannot write repo variables — returns 403 "Resource not accessible by integration"

Failing runs:

Changes

  • publish.yml: Add GH_TOKEN: ${{ github.token }} to waiting-for-ci comment step
  • ci-pending.yml: Split into two steps — label change and variable set both use app token
  • ci-poller.yml: Same split — variable disable step uses app token instead of GITHUB_TOKEN
  • Remove unnecessary actions: write permission (not needed when using app token)

gh CLI in GitHub Actions requires GH_TOKEN to be set explicitly — it
does not auto-detect GITHUB_TOKEN despite the docs suggesting it.

Split steps that do both label changes and variable updates:
- Label changes: use the app token (so events trigger publish.yml)
- Variable set: use GITHUB_TOKEN with actions:write (app token may
  lack actions_variables permission)
@BYK BYK marked this pull request as ready for review April 10, 2026 16:57
@BYK BYK requested a review from a team as a code owner April 10, 2026 16:57
@BYK BYK merged commit 526f721 into main Apr 10, 2026
10 checks passed
@BYK BYK deleted the fix/ci-poller-gh-token branch April 10, 2026 17:32
BYK added a commit that referenced this pull request Apr 10, 2026
… permission (#7771)

## Summary

Fix `ci-poller.yml` failing with `HTTP 403: Resource not accessible by
integration` when calling `gh variable set CI_POLLER_HAS_PENDING`.

Failing run:
https://github.com/getsentry/publish/actions/runs/24263308562/job/70852292016

## Root Cause

`GITHUB_TOKEN` cannot write repo variables through the Actions Variables
API, even with `actions: write` in the workflow permissions block. The
sentry-internal-app token has admin access and can write variables.

PR #7768 incorrectly assumed the opposite (that the app token lacked
permission and `GITHUB_TOKEN` had it).

## Changes

- `ci-poller.yml`: "Disable poller" step uses app token instead of
`GITHUB_TOKEN`
- `ci-pending.yml`: "Enable cron poller" step uses app token instead of
`GITHUB_TOKEN`
- Remove unnecessary `actions: write` from both workflow permission
blocks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant