fix(workflow): use app token for gh variable set — GITHUB_TOKEN lacks permission#7771
Merged
Conversation
… permission GITHUB_TOKEN cannot write repo variables via the Actions Variables API — returns 403 "Resource not accessible by integration" even with actions:write permission. Use the sentry-internal-app token instead, which has the necessary admin permissions. Also removes the now-unnecessary actions:write from workflow permissions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two fixes for the CI status poller:
1. Use app token for
gh variable setGITHUB_TOKENcannot write repo variables — returns 403 "Resource not accessible by integration" even withactions: write.Failing run: https://github.com/getsentry/publish/actions/runs/24263308562/job/70852292016
2. Resolve release branch HEAD instead of stale issue SHA
When a bot pushes a new commit to the release branch after issue creation, the "View check runs" SHA in the issue body is stale. The poller checks CI on the old commit and never sees the new CI results.
Failing run: https://github.com/getsentry/publish/actions/runs/24264032659/job/70854676310
Fix: Use the Check Suites API to discover the branch name from the original SHA (
check_suites[0].head_branch), then resolve the branch HEAD viagit/ref/heads/{branch}. If it moved, update the issue body so the link stays accurate for humans and future poller runs.Fallback: if check suites return nothing, use the issue body SHA as before.
Changes
ci-pending.yml: Use app token forgh variable setci-poller.yml: Use app token forgh variable set; resolve branch HEAD dynamically; update stale issue linksci-poller.yml,ci-pending.yml: Remove unnecessaryactions: writepermission