Skip to content

Commit 0eadb27

Browse files
ci(deploy): use REPO_ACCESS_TOKEN for sibling-repo checkouts
The first auto-deploy run on 2026-05-15T06:28Z failed because GITHUB_TOKEN is auto-scoped to the current repo only — fetching the private sibling repos (common, proto) returned 404 from the GH API. Swap both Checkout steps to use REPO_ACCESS_TOKEN, a fine-grained PAT with read access to those siblings. Operator action that made this work: `gh secret set REPO_ACCESS_TOKEN --repo InstaNode-dev/<this-repo>`. The ghcr.io docker login step still uses GITHUB_TOKEN — packages:write is implicit on the current repo's token, no PAT needed there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 052c79b commit 0eadb27

1 file changed

Lines changed: 5 additions & 2 deletions

File tree

.github/workflows/deploy.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,14 +61,17 @@ jobs:
6161
uses: actions/checkout@v4
6262
with:
6363
repository: ${{ vars.COMMON_REPO || format('{0}/common', github.repository_owner) }}
64-
token: ${{ secrets.GITHUB_TOKEN }}
64+
# 2026-05-15: GITHUB_TOKEN is scoped to THIS repo only and 404s
65+
# on private sibling repos. REPO_ACCESS_TOKEN is a fine-grained
66+
# PAT with read access to InstaNode-dev/{common,proto}.
67+
token: ${{ secrets.REPO_ACCESS_TOKEN }}
6568
path: common
6669

6770
- name: Checkout proto sibling into ./proto
6871
uses: actions/checkout@v4
6972
with:
7073
repository: ${{ vars.PROTO_REPO || format('{0}/proto', github.repository_owner) }}
71-
token: ${{ secrets.GITHUB_TOKEN }}
74+
token: ${{ secrets.REPO_ACCESS_TOKEN }}
7275
path: proto
7376

7477
- name: Compute build metadata

0 commit comments

Comments
 (0)