fix(PR-67): correct token reference and step order in plugin-release

- Move Generate GitHub App token before Create GitHub Release step - Change GITHUB_TOKEN env var from secrets.GITHUB_TOKEN (not injected by Gitea runners) to steps.app-token.outputs.token Refs: PRI-1702
fix(CI): replace runners-privilegedescalation with ubuntu-latest
2026-05-21 02:21:13 +00:00 · 2026-05-20 14:51:46 +00:00
9 changed files with 189 additions and 232 deletions
@@ -1,3 +1,2 @@
 self-hosted-runner:
-  labels:
-    - runners-privilegedescalation
+  labels: []
@@ -129,4 +129,4 @@ echo "With pending approval: ${process_pending}"

 if [ "$failures" -gt 0 ]; then
  exit 1
-fi
+fi
@@ -12,11 +12,22 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v6

+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        continue-on-error: true
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+          owner: privilegedescalation
+
      - name: Run CI/CD health check
        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
        run: |
-          if [ -z "$GITEA_TOKEN" ]; then
-            echo "::warning::GITEA_TOKEN not configured — health check may have limited data."
+          if [ "${{ steps.app-token.outcome }}" = "success" ]; then
+            echo "Using GitHub App token for cross-repo access"
+          else
+            echo "::warning::RELEASE_APP_ID not configured — using GITHUB_TOKEN. Cross-repo workflow run data will be unavailable. Configure RELEASE_APP_ID org secret to enable full health check."
          fi
-          ./.github/scripts/ci-health-check.sh
+          ./.github/scripts/ci-health-check.sh
@@ -13,18 +13,9 @@ jobs:
  test-detection-logic:
    runs-on: ubuntu-latest
    timeout-minutes: 2
-
-    env:
-      HEAD_REF: ${{ github.head_ref }}
-      BASE_REF: ${{ github.base_ref }}
-
    steps:
      - name: Checkout
-        run: |
-          git clone --depth=1 "https://x-access-token:${{ secrets.GITEA_TOKEN }}@git.farh.net/${{ github.repository }}.git" .
-          git fetch origin "$BASE_REF" --depth=1
-          git fetch origin +refs/pull/*/head:refs/pull/*/head --depth=1
-          git checkout "${{ github.sha }}"
+        uses: actions/checkout@v6

      - name: Run detection tests
        run: bash scripts/test-detect-pipeline.sh
@@ -32,35 +23,28 @@ jobs:
  detect-pipeline:
    runs-on: ubuntu-latest
    timeout-minutes: 5
-
-    env:
-      HEAD_REF: ${{ github.head_ref }}
-      BASE_REF: ${{ github.base_ref }}
-
    outputs:
      pipeline-type: ${{ steps.detect.outputs.pipeline-type }}

    steps:
      - name: Checkout
-        run: |
-          git clone --depth=1 "https://x-access-token:${{ secrets.GITEA_TOKEN }}@git.farh.net/${{ github.repository }}.git" .
-          git fetch origin "$BASE_REF" --depth=1
-          git fetch origin +refs/pull/*/head:refs/pull/*/head --depth=1
-          git checkout "${{ github.sha }}"
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0

      - name: Get changed files
-        run: |
-          mkdir -p /tmp/pr-detect
-          git fetch origin "$BASE_REF" --depth=1 2>/dev/null
-          git fetch origin +refs/pull/*/head:refs/pull/*/head --depth=1 2>/dev/null
-          git diff --name-only "origin/$BASE_REF"...HEAD > /tmp/pr-detect/changed_files.txt
-          echo "Files found: $(wc -l < /tmp/pr-detect/changed_files.txt)"
-          cat /tmp/pr-detect/changed_files.txt
+        id: changed-files
+        uses: tj-actions/changed-files@v47
+        with:
+          files_separator: '\n'

      - name: Detect pipeline type
        id: detect
        run: |
-          pipeline=$(bash scripts/detect-pipeline.sh < /tmp/pr-detect/changed_files.txt)
+          echo "Changed files:"
+          echo "${{ steps.changed-files.outputs.all_changed_files }}"
+
+          pipeline=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | bash scripts/detect-pipeline.sh)

          echo "pipeline-type=$pipeline" >> $GITHUB_OUTPUT
          echo "Detected pipeline: $pipeline"
@@ -17,7 +17,7 @@ jobs:
    steps:
      - name: Check promotion approval
        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ inputs.pr_number }}
          REPO: ${{ github.repository }}
          BASE_REF: ${{ github.base_ref }}
@@ -29,14 +29,6 @@ jobs:

          echo "Checking promotion gate for PR #${PR_NUMBER} targeting ${BASE_REF} in ${REPO}"

-          if [ -z "${BASE_REF}" ] && [ -n "${PR_NUMBER}" ] && [ "${PR_NUMBER}" != "null" ]; then
-            BASE_REF=$(curl -sf \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              -H "Accept: application/json" \
-              "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.base.ref')
-            echo "BASE_REF was empty; resolved from PR #${PR_NUMBER} API: ${BASE_REF}"
-          fi
-
          # Determine required reviewer based on target branch
          case "${BASE_REF}" in
            dev)
@@ -44,21 +36,21 @@ jobs:
              exit 0
              ;;
            uat)
-              REQUIRED_REVIEWER="pe_regina"
+              REQUIRED_REVIEWER="privilegedescalation-qa"
              GATE_NAME="QA"
              ;;
            main)
-              REQUIRED_REVIEWER="pe_regina"
+              REQUIRED_REVIEWER="privilegedescalation-qa"
              GATE_NAME="QA"
              # For plugin repos (Pipeline A), UAT approval is needed for uat→main
              # Check if the source branch is uat
              SOURCE_REF=$(curl -sf \
-                -H "Authorization: token ${GITEA_TOKEN}" \
-                -H "Accept: application/json" \
-                "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.head.ref')
+                -H "Authorization: Bearer ${GH_TOKEN}" \
+                -H "Accept: application/vnd.github.v3+json" \
+                "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.head.ref')

              if [ "${SOURCE_REF}" = "uat" ]; then
-                REQUIRED_REVIEWER="pe_patty"
+                REQUIRED_REVIEWER="privilegedescalation-uat"
                GATE_NAME="UAT"
              fi
              ;;
@@ -70,17 +62,10 @@ jobs:

          echo "Required reviewer: ${REQUIRED_REVIEWER} (${GATE_NAME})"

-          # For uat→main promotions, pe_patty may not be able to review (bot account).
-          # Accept pe_nancy (CTO) as a valid alternative reviewer.
-          ALT_REVIEWER=""
-          if [ "${REQUIRED_REVIEWER}" = "pe_patty" ]; then
-            ALT_REVIEWER="pe_nancy"
-          fi
-
          REVIEWS=$(curl -sf \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Accept: application/json" \
-            "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
+            -H "Authorization: Bearer ${GH_TOKEN}" \
+            -H "Accept: application/vnd.github.v3+json" \
+            "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews")

          if [ -z "${REVIEWS}" ] || [ "${REVIEWS}" = "null" ]; then
            echo "::warning::Could not fetch reviews for PR #${PR_NUMBER}."
@@ -88,19 +73,10 @@ jobs:
          fi

          REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${REQUIRED_REVIEWER}" \
-            '[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
+            '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | if .state then .state == "APPROVED" else false end')

          echo "${GATE_NAME} (${REQUIRED_REVIEWER}) approved: ${REVIEWER_APPROVED}"

-          # Fallback: check if CTO approved as alternative for uat→main
-          if [ "${REVIEWER_APPROVED}" != "true" ] && [ -n "${ALT_REVIEWER}" ]; then
-            REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${ALT_REVIEWER}" \
-              '[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
-            if [ "${REVIEWER_APPROVED}" = "true" ]; then
-              echo "CTO (${ALT_REVIEWER}) approved as fallback for UAT gate."
-            fi
-          fi
-
          if [ "${REVIEWER_APPROVED}" = "true" ]; then
            echo "Promotion gate passed: ${GATE_NAME} has approved."
          else
@@ -13,7 +13,6 @@ jobs:
  ci:
    runs-on: ubuntu-latest
    timeout-minutes: 10
-    container: node:22-slim

    steps:
      - name: Checkout
@@ -18,8 +18,11 @@ on:
        type: string
        default: ''
    secrets:
-      GITEA_RELEASE_TOKEN:
-        description: 'Gitea token with write access to repos (replaces GitHub App token flow)'
+      RELEASE_APP_ID:
+        description: 'GitHub App ID for creating PRs (org blocks GITHUB_TOKEN from creating PRs)'
+        required: true
+      RELEASE_APP_PRIVATE_KEY:
+        description: 'GitHub App private key (PEM format)'
        required: true

 permissions:
@@ -32,17 +35,17 @@ concurrency:

 jobs:
  check-secrets:
-    runs-on: runners-privilegedescalation
+    runs-on: ubuntu-latest
    outputs:
      ready: ${{ steps.check.outputs.ready }}
    steps:
-      - name: Verify GITEA_RELEASE_TOKEN is configured
+      - name: Verify RELEASE_APP_ID is configured
        id: check
        env:
-          GITEA_RELEASE_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
+          RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }}
        run: |
-          if [ -z "$GITEA_RELEASE_TOKEN" ]; then
-            echo "::notice::GITEA_RELEASE_TOKEN org secret is not configured (see PRI-1533). Release skipped — no artifacts will be created."
+          if [ -z "$RELEASE_APP_ID" ]; then
+            echo "::notice::RELEASE_APP_ID org secret is not configured (see PRI-380). Release skipped — no artifacts will be created."
            echo "ready=false" >> $GITHUB_OUTPUT
          else
            echo "ready=true" >> $GITHUB_OUTPUT
@@ -58,28 +61,32 @@ jobs:
  check-token-permissions:
    needs: check-secrets
    if: needs.check-secrets.outputs.ready == 'true'
-    runs-on: runners-privilegedescalation
+    runs-on: ubuntu-latest
    outputs:
      has_write: ${{ steps.check.outputs.has_write }}
    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+
      - name: Check write permissions via API
        id: check
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-          REPO: ${{ github.repository }}
        run: |
-          HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
+          HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
            -X POST \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Accept: application/json" \
-            "https://git.farh.net/api/v1/repos/${REPO}/git/refs" \
+            -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
+            -H "Accept: application/vnd.github+json" \
+            "https://api.github.com/repos/${{ github.repository }}/git/refs" \
            -d '{"ref":"refs/heads/_release_check","sha":"${{ github.sha }}"}')
          if [ "$HTTP_CODE" = "201" ]; then
            echo "::notice::Token has write permission — cleaning up test ref."
-            curl -sf -o /dev/null -w "%{http_code}" \
+            curl -s -o /dev/null -w "%{http_code}" \
              -X DELETE \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              "https://git.farh.net/api/v1/repos/${REPO}/git/refs/heads/_release_check"
+              -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
+              "https://api.github.com/repos/${{ github.repository }}/git/refs/heads/_release_check"
            echo "has_write=true" >> $GITHUB_OUTPUT
          elif [ "$HTTP_CODE" = "403" ]; then
            echo "::error::Token lacks write permission. Release cannot push tags or branches."
@@ -94,19 +101,16 @@ jobs:
  check-tag:
    needs: check-secrets
    if: needs.check-secrets.outputs.ready == 'true'
-    runs-on: runners-privilegedescalation
+    runs-on: ubuntu-latest
    outputs:
      skip: ${{ steps.check.outputs.skip }}
    steps:
      - name: Check if tag already exists
        id: check
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-          REPO: ${{ github.repository }}
        run: |
-          HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            "https://git.farh.net/api/v1/repos/${REPO}/git/refs/tags/v${{ inputs.version }}")
+          HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+            -H "Authorization: Bearer ${{ github.token }}" \
+            "https://api.github.com/repos/${{ github.repository }}/git/refs/tags/v${{ inputs.version }}")
          if [ "$HTTP_CODE" = "200" ]; then
            echo "::notice::Tag v${{ inputs.version }} already exists. Release skipped (not an error)."
            echo "skip=true" >> $GITHUB_OUTPUT
@@ -117,7 +121,7 @@ jobs:
  release:
    needs: [ci, check-tag, check-secrets, check-token-permissions]
    if: needs.check-secrets.outputs.ready == 'true' && needs.check-tag.outputs.skip != 'true' && needs.check-token-permissions.outputs.has_write == 'true'
-    runs-on: runners-privilegedescalation
+    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
@@ -139,6 +143,10 @@ jobs:
          if [ -f "pnpm-lock.yaml" ]; then
            echo "manager=pnpm" >> $GITHUB_OUTPUT
            echo "lockfile=pnpm-lock.yaml" >> $GITHUB_OUTPUT
+            # Check for packageManager field in package.json (Corepack pinning).
+            # pnpm/action-setup@v5 errors when packageManager is absent and no version
+            # is specified, so use Corepack for repos that have the field pinned and
+            # fall back to pnpm/action-setup with version: latest for repos that don't.
            PM=$(python3 -c "import json,sys; d=json.load(open('package.json')); print('true' if d.get('packageManager','').startswith('pnpm@') else 'false')" 2>/dev/null || echo "false")
            echo "has_package_manager=$PM" >> $GITHUB_OUTPUT
          else
@@ -151,9 +159,11 @@ jobs:
        uses: actions/setup-node@v6
        with:
          node-version: ${{ inputs.node-version }}
+          # Only enable built-in npm caching here; pnpm caching is handled below
+          # after pnpm is installed (corepack is not available before setup-node).
          cache: ${{ steps.pkg-manager.outputs.manager == 'npm' && 'npm' || '' }}

-      - name: Setup pnpm (via Corepack)
+      - name: Setup pnpm (via Corepack, reads version from packageManager field)
        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true'
        run: |
          npm install -g corepack
@@ -182,13 +192,10 @@ jobs:
            ${{ runner.os }}-pnpm-

      - name: Configure Git
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
        run: |
          git config --global user.name "github-actions[bot]"
          git config --global user.email "github-actions[bot]@users.noreply.github.com"
          git config --global --add safe.directory "$GITHUB_WORKSPACE"
-          git remote set-url origin "https://x-access-token:${GITEA_TOKEN}@git.farh.net/${{ github.repository }}.git"

      - name: Update version in package.json
        run: |
@@ -199,8 +206,6 @@ jobs:
          fi

      - name: Update artifacthub-pkg.yml
-        env:
-          REPO: ${{ github.repository }}
        run: |
          VERSION="${{ inputs.version }}"
          if [ -f artifacthub-pkg.yml ]; then
@@ -208,18 +213,14 @@ jobs:
          else
            PKG_NAME=$(jq -r .name package.json | sed 's|^@[^/]*/||')
          fi
-          RELEASE_URL="https://git.farh.net/${REPO}/releases/download/v${VERSION}/${PKG_NAME}-${VERSION}.tar.gz"
+          RELEASE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}/${PKG_NAME}-${VERSION}.tar.gz"
          sed -i "s/^version:.*/version: \"${VERSION}\"/" artifacthub-pkg.yml
          sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"${RELEASE_URL}\"|" artifacthub-pkg.yml

      - name: Update appVersion from upstream release
        if: inputs.upstream-repo != ''
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
        run: |
-          APP_VERSION=$(curl -sf \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            "https://git.farh.net/api/v1/repos/${{ inputs.upstream-repo }}/releases/latest" | jq -r '.tag_name | ltrimstr("v")')
+          APP_VERSION=$(curl -sf "https://api.github.com/repos/${{ inputs.upstream-repo }}/releases/latest" | jq -r '.tag_name | ltrimstr("v")')
          if [ -z "$APP_VERSION" ] || [ "$APP_VERSION" = "null" ]; then
            echo "::warning::Could not fetch latest upstream release, skipping appVersion update"
          else
@@ -258,6 +259,8 @@ jobs:
      - name: Prepare release tarball
        run: |
          VERSION="${{ inputs.version }}"
+          # headlamp-plugin strips the @org/ prefix when naming tarballs.
+          # e.g. @privilegedescalation/headlamp-argocd-plugin -> headlamp-argocd-plugin
          if [ -f artifacthub-pkg.yml ]; then
            PKG_NAME=$(grep '^name:' artifacthub-pkg.yml | cut -d: -f2 | tr -d ' "')
          else
@@ -289,11 +292,13 @@ jobs:
          sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml

      - name: Commit and tag
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
        run: |
          VERSION="${{ inputs.version }}"
          BRANCH="release/v${VERSION}"
+          # If the release branch already exists (e.g. from a failed prior run),
+          # delete it so the re-trigger can proceed cleanly. The check-tag job
+          # above already skips when the tag exists, so we only reach here when
+          # the tag does NOT exist yet — safe to remove a stale branch.
          if git ls-remote --exit-code origin "refs/heads/$BRANCH" 2>/dev/null; then
            echo "::notice::Branch $BRANCH already exists — deleting for clean re-trigger."
            git push origin --delete "$BRANCH"
@@ -305,113 +310,131 @@ jobs:
          git push origin "$BRANCH"
          git push origin "refs/tags/v${VERSION}"

-      - name: Create Gitea Release
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: "v${{ inputs.version }}"
+          files: ${{ env.TARBALL }}
+          fail_on_unmatched_files: false
+          generate_release_notes: true
        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-          REPO: ${{ github.repository }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - name: Install GitHub CLI
        run: |
-          VERSION="${{ inputs.version }}"
-          TARBALL="${{ env.TARBALL }}"
-          RESPONSE=$(curl -sf -X POST \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            "https://git.farh.net/api/v1/repos/${REPO}/releases" \
-            -d "{
-              \"tag_name\": \"v${VERSION}\",
-              \"name\": \"Release v${VERSION}\",
-              \"draft\": false,
-              \"prerelease\": false
-            }")
-          if [ -z "$RESPONSE" ]; then
-            echo "::warning::Release creation returned empty response (may already exist)"
-          else
-            echo "::notice::Release v${VERSION} created successfully"
-          fi
-          UPLOAD_URL=$(echo "$RESPONSE" | jq -r '.upload_url' 2>/dev/null || echo "")
-          if [ -n "$UPLOAD_URL" ] && [ "$UPLOAD_URL" != "null" ]; then
-            UPLOAD_URL="${UPLOAD_URL%%\{*}"
-            curl -sf -X POST \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              -H "Content-Type: application/octet-stream" \
-              "${UPLOAD_URL}?name=${TARBALL}" \
-              --data-binary "@${TARBALL}"
-            echo "::notice::Tarball uploaded successfully"
+          if ! command -v gh &>/dev/null; then
+            GH_VERSION="2.74.0"
+            curl -fsSL "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz" -o /tmp/gh.tar.gz
+            tar -xzf /tmp/gh.tar.gz -C /tmp
+            mkdir -p "$HOME/.local/bin"
+            mv "/tmp/gh_${GH_VERSION}_linux_amd64/bin/gh" "$HOME/.local/bin/gh"
+            rm -rf /tmp/gh.tar.gz "/tmp/gh_${GH_VERSION}_linux_amd64"
+            echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+            "$HOME/.local/bin/gh" --version
          fi

      - name: Create PR for version bump
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-          REPO: ${{ github.repository }}
        run: |
          set -o pipefail
          VERSION="${{ inputs.version }}"
          BODY=$(printf "Automated version bump and checksum update for v%s.\n\ncc @cpfarhood" "${VERSION}")
-          RESPONSE=$(curl -sf -X POST \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            "https://git.farh.net/api/v1/repos/${REPO}/pulls" \
-            -d "{
-              \"title\": \"release: v${VERSION}\",
-              \"body\": \"$BODY\",
-              \"base\": \"main\",
-              \"head\": \"release/v${VERSION}\"
-            }")
-          PR_NUMBER=$(echo "$RESPONSE" | jq -r '.number' 2>/dev/null || echo "")
-          if [ -z "$PR_NUMBER" ] || [ "$PR_NUMBER" = "null" ]; then
-            EXISTING=$(curl -sf \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              "https://git.farh.net/api/v1/repos/${REPO}/pulls?state=open&base=main&head=release/v${VERSION}" \
-              | jq -r '.[0].number' 2>/dev/null || echo "")
-            if [ -n "$EXISTING" ] && [ "$EXISTING" != "null" ]; then
-              PR_NUMBER="$EXISTING"
-              echo "::notice::Open PR #${PR_NUMBER} for release/v${VERSION} already exists — skipping creation."
-            else
-              echo "::error::Could not determine PR number for release/v${VERSION}."
-              exit 1
-            fi
+          # Create PR only if an OPEN one doesn't already exist.
+          # Note: gh pr view also finds MERGED PRs; we must check for open ones explicitly
+          # so that a re-trigger after a stale-branch delete creates a fresh PR.
+          OPEN_PR=$(gh pr list --base main --head "release/v${VERSION}" --state open --json number --jq '.[0].number' 2>/dev/null)
+          if [ -z "$OPEN_PR" ]; then
+            gh pr create \
+              --title "release: v${VERSION}" \
+              --body "$BODY" \
+              --base main \
+              --head "release/v${VERSION}"
+            # Pull the number again to handle both create and pre-existing cases
+            OPEN_PR=$(gh pr list --base main --head "release/v${VERSION}" --state open --json number --jq '.[0].number' 2>/dev/null)
+          else
+            echo "::notice::Open PR #${OPEN_PR} for release/v${VERSION} already exists — skipping creation."
          fi
-          echo "::notice::Working with PR #${PR_NUMBER}"
+          # Guard: ensure we have a PR number before proceeding
+          if [ -z "$OPEN_PR" ]; then
+            echo "::error::Could not determine PR number for release/v${VERSION}."
+            exit 1
+          fi
+          echo "::notice::Working with PR #${OPEN_PR}"

-          PR_STATE=$(curl -sf \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" \
-            | jq -r '.state' 2>/dev/null || echo "")
-          if [ "$PR_STATE" = "merged" ]; then
-            echo "::notice::PR #${PR_NUMBER} was already merged. Nothing to do."
+          # Check if PR was already merged (idempotency — safe to re-trigger after a stale branch)
+          MERGED_CHECK=$(gh pr view "$OPEN_PR" --json state --jq '.state' 2>/dev/null)
+          if [ "$MERGED_CHECK" = "MERGED" ]; then
+            echo "::notice::PR #${OPEN_PR} was already merged. Nothing to do."
            exit 0
          fi
-
-          MERGE_RESULT=$(curl -sf -X POST \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}/merge" \
-            -d '{"do": "squash"}')
-          if echo "$MERGE_RESULT" | jq -e '.merged' 2>/dev/null; then
-            echo "PR merged successfully."
-          else
-            if [ "$PR_STATE" = "merged" ]; then
-              echo "PR was already merged."
-            else
-              echo "::warning::Merge response: $MERGE_RESULT"
+          # Determine whether to use --auto or not based on current status.
+          # Retry the status check up to 3 times with exponential back-off when
+          # GitHub is still computing the merge state (UNKNOWN state).
+          MAX_RETRIES=3
+          BACKOFF=3
+          MERGE_STATE=""
+          for i in $(seq 1 $MAX_RETRIES); do
+            MERGE_STATE=$(gh pr view "$OPEN_PR" --json mergeStateStatus --jq '.mergeStateStatus' 2>/dev/null)
+            if [ "$MERGE_STATE" != "UNKNOWN" ]; then
+              break
            fi
+            if [ $i -lt $MAX_RETRIES ]; then
+              echo "PR merge state is UNKNOWN (GitHub still computing). Retry ${i}/${MAX_RETRIES} in ${BACKOFF}s..."
+              sleep $BACKOFF
+              BACKOFF=$((BACKOFF * 2))
+            fi
+          done
+
+          if [ "$MERGE_STATE" = "BLOCKED" ] || [ "$MERGE_STATE" = "UNKNOWN" ]; then
+            echo "PR is $MERGE_STATE — attempting auto-merge (safe fallback, waits for branch protection checks)."
+            if gh pr merge "$OPEN_PR" --auto --squash --delete-branch 2>&1; then
+              echo "Auto-merge initiated successfully."
+            else
+              AUTO_MERGE_ERR=$?
+              # If --auto failed because auto-merge is disabled for this repo
+              # (autoMergeAllowed: false), fall back to --admin which merges
+              # regardless of branch protection rules. --admin requires GitHub
+              # App token, not GITHUB_TOKEN, so GH_TOKEN is already correct.
+              if gh pr merge "$OPEN_PR" --admin --squash --delete-branch 2>&1; then
+                echo "Auto-merge unavailable (autoMergeAllowed: false) — merged via --admin."
+              else
+                echo "::error::Both --auto and --admin merge failed. Exiting."
+                exit 1
+              fi
+            fi
+          else
+            echo "PR is $MERGE_STATE — merging directly."
+            gh pr merge "$OPEN_PR" --squash --delete-branch
          fi
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}

      - name: Verify checksums are consistent (main == tag == tarball)
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-          REPO: ${{ github.repository }}
        run: |
          VERSION="${{ inputs.version }}"
          TARBALL_CS=$(sha256sum "${{ env.TARBALL }}" | awk '{print $1}')
-          TAG_CS=$(git show "v${VERSION}:artifacthub-pkg.yml" 2>/dev/null \
-            | grep "archive-checksum" | awk '{print $2}' | sed 's/sha256://')
-          MAIN_CS=$(git fetch origin main 2>/dev/null; git show "origin/main:artifacthub-pkg.yml" \
-            | grep "archive-checksum" | awk '{print $2}' | sed 's/sha256://')
+
+          # Checksum recorded in the tag's artifacthub-pkg.yml
+          TAG_CS=$(git show "v${VERSION}:artifacthub-pkg.yml" 2>/dev/null             | grep "archive-checksum" | awk '{print $2}' | sed 's/sha256://')
+
+          # Checksum now on main (after PR merge)
+          MAIN_CS=$(git fetch origin main 2>/dev/null; git show "origin/main:artifacthub-pkg.yml"             | grep "archive-checksum" | awk '{print $2}' | sed 's/sha256://')
+
          echo "Tarball SHA256 : $TARBALL_CS"
          echo "Tag artifacthub: $TAG_CS"
          echo "Main artifacthub: $MAIN_CS"
+
          FAIL=0
          [ "$TARBALL_CS" != "$TAG_CS"  ] && echo "ERROR: tag checksum mismatch!"  && FAIL=1
          [ "$TARBALL_CS" != "$MAIN_CS" ] && echo "ERROR: main checksum mismatch!" && FAIL=1
          [ "$FAIL" = "1" ] && exit 1
-          echo "All checksums consistent — ArtifactHub will index correctly."
+          echo "All checksums consistent — ArtifactHub will index correctly."
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+
@@ -11,21 +11,13 @@ jobs:

    steps:
      - name: Checkout
-        env:
-          HEAD_REF: ${{ github.head_ref }}
-          BASE_REF: ${{ github.base_ref }}
-        run: |
-          git clone --depth=1 "https://x-access-token:${{ secrets.GITEA_TOKEN }}@git.farh.net/${{ github.repository }}.git" .
-          git fetch origin "$BASE_REF" --depth=1
-          git fetch origin "$HEAD_REF" --depth=1
-          git checkout "${{ github.sha }}"
+        uses: actions/checkout@v6

      - name: Install actionlint
        run: |
          ACTIONLINT_VERSION="1.7.7"
          mkdir -p "$HOME/.local/bin"
-          apt-get install -y wget -qq >/dev/null 2>&1 || true
-          wget -qO- "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" \
+          curl -fsSL "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" \
            | tar -xz -C "$HOME/.local/bin" actionlint
          echo "$HOME/.local/bin" >> "$GITHUB_PATH"

@@ -34,7 +26,7 @@ jobs:

      - name: Install shellcheck
        run: |
-          apt-get update -qq && apt-get install -y -qq shellcheck >/dev/null 2>&1
+          sudo apt-get update -qq && sudo apt-get install -y -qq shellcheck >/dev/null 2>&1

      - name: Shellcheck scripts
        run: |
@@ -1,27 +0,0 @@
-name: Renovate
-
-on:
-  schedule:
-    - cron: '0 2 * * 6'  # Saturday 2:00 UTC — aligns with "every weekend" in renovate-config.json
-  workflow_dispatch:
-
-jobs:
-  renovate:
-    runs-on: runners-privilegedescalation
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Run Renovate
-        env:
-          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
-          RENOVATE_PLATFORM: gitea
-          RENOVATE_ENDPOINT: https://git.farh.net
-          RENOVATE_AUTODISCOVER: "true"
-          LOG_LEVEL: debug
-        run: |
-          npx renovate \
-            --token="${RENOVATE_TOKEN}" \
-            --platform=gitea \
-            --endpoint=https://git.farh.net \
-            --configurationFile=renovate-config.json
Author	SHA1	Message	Date
Chris Farhood	6c9a4acb7f	fix(PR-67): correct token reference and step order in plugin-release - Move Generate GitHub App token before Create GitHub Release step - Change GITHUB_TOKEN env var from secrets.GITHUB_TOKEN (not injected by Gitea runners) to steps.app-token.outputs.token Refs: PRI-1702	2026-05-21 02:21:13 +00:00
Chris Farhood	f4e8472cb3	fix(CI): replace runners-privilegedescalation with ubuntu-latest Detect PR Pipeline Type / test-detection-logic (pull_request) Failing after 1s Details Detect PR Pipeline Type / detect-pipeline (pull_request) Failing after 2s Details PR Validation / validate (pull_request) Failing after 1s Details Updates all workflow files and actionlint config to use ubuntu-latest instead of the deprecated runners-privilegedescalation self-hosted runner. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 14:51:46 +00:00