Skip to content

ci: update V1_LATEST_TAG repo variable on stable releases #125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kjiang-ac merged 2 commits into from
Apr 17, 2026
+11 −0
Merged

ci: update V1_LATEST_TAG repo variable on stable releases #125

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
854335f
ci: update V1_LATEST_TAG repo variable on stable releases
kjiang-ac Apr 16, 2026
d3b28b6
fix: add variables: write permission for V1_LATEST_TAG update
kjiang-ac Apr 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/workflows/bun-compile.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: write
variables: write
steps:
- name: Download all artifacts
uses: actions/download-artifact@v4
Expand Down Expand Up @@ -159,3 +160,13 @@ jobs:
$PRERELEASE_FLAG \
artifacts/*

- name: Update V1_LATEST_TAG variable
if: ${{ !contains(inputs.version || github.event.client_payload.version, 'prerelease') }}
Copy link
Copy Markdown
Contributor

@augment-app-staging augment-app-staging bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

contains() in GitHub expressions is case-insensitive, while the prerelease detection in the Create GitHub Release step uses a bash glob match that is case-sensitive; mixed-case versions could cause the release type and the V1_LATEST_TAG update decision to diverge.

Severity: low

🤖 Was this useful? React with 👍 or 👎

env:
GH_TOKEN: ${{ github.token }}
Copy link
Copy Markdown

@github-actions github-actions bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we avoid using github.token for this API call? The repository variables endpoint requires repository Variables: write permission, which the workflow GITHUB_TOKEN does not expose/grant here, so this step is likely to fail with Resource not accessible by integration after the release has already been created.

Current code:

GH_TOKEN: ${{ github.token }}

Suggested improvement:

GH_TOKEN: ${{ secrets.VARIABLES_WRITE_TOKEN }}

Consider using a GitHub App token or fine-grained PAT secret scoped to repository variables write access (plus metadata read) for just this update step.

Copy link
Copy Markdown
Contributor Author

@kjiang-ac kjiang-ac Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Instead of a separate PAT, I added variables: write to the job's permissions block, which grants the GITHUB_TOKEN access to update repo variables. Verified the API call works — pushed in d3b28b6.

VERSION: ${{ inputs.version || github.event.client_payload.version }}
run: |
gh api --method PATCH "repos/${{ github.repository }}/actions/variables/V1_LATEST_TAG" \
Copy link
Copy Markdown
Contributor

@augment-app-staging augment-app-staging bot Apr 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This step updates a repository Actions variable via the Actions API, but the release job only grants contents: write; with restricted job permissions, GITHUB_TOKEN may lack actions: write and this call can 403 at runtime.

Severity: medium

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎

Copy link
Copy Markdown
Contributor Author

@kjiang-ac kjiang-ac Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The required permission is variables: write, not actions: write. Per GitHub docs, the fine-grained token needs "Variables" repository permissions (write). This has been added to the job's permissions block in d3b28b6.

-f name="V1_LATEST_TAG" \
-f value="v${VERSION}"