File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -42,18 +42,14 @@ jobs:
4242 sh -n plugins/codex-fable5/bin/codex-goals
4343
4444 - name : Fetch pinned FABLE-5 source
45- env :
46- GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
4745 run : |
4846 set -euo pipefail
4947 mkdir -p build/fable5
5048 # The pin lives in the coverage matrix's preamble. Hardcode the
5149 # commit SHA from the matrix's source note for explicit traceability.
5250 PIN="dc626fed52b06d687cdc812d51090c95ed03d575"
5351 curl -fsSL \
54- -H "Authorization: Bearer ${GH_TOKEN}" \
55- -H "Accept: application/vnd.github.raw" \
56- "https://api.github.com/repos/elder-plinius/CL4R1T4S/contents/ANTHROPIC/CLAUDE-FABLE-5.md?ref=${PIN}" \
52+ "https://raw.githubusercontent.com/elder-plinius/CL4R1T4S/${PIN}/ANTHROPIC/CLAUDE-FABLE-5.md" \
5753 -o build/fable5/CLAUDE-FABLE-5.md
5854 # Sanity check: file must contain a Fable 5 marker.
5955 grep -q "Fable 5" build/fable5/CLAUDE-FABLE-5.md \
Original file line number Diff line number Diff line change @@ -293,6 +293,24 @@ def test_ci_workflow_validates_against_pinned_source(self) -> None:
293293 workflow = (ROOT / ".github" / "workflows" / "ci.yml" ).read_text (encoding = "utf-8" )
294294 self .assertIn ("CLAUDE-FABLE-5.md" , workflow )
295295 self .assertIn ("elder-plinius/CL4R1T4S" , workflow )
296+ fetch_step = re .search (
297+ r" - name: Fetch pinned FABLE-5 source\n(?P<body>.*?)(?:\n - name: |\Z)" ,
298+ workflow ,
299+ re .DOTALL ,
300+ )
301+ self .assertIsNotNone (fetch_step , "CI workflow must define the pinned source fetch step" )
302+ assert fetch_step is not None # for type checkers
303+ fetch_step_body = fetch_step .group ("body" )
304+ self .assertIn (
305+ "raw.githubusercontent.com/elder-plinius/CL4R1T4S/${PIN}/ANTHROPIC/CLAUDE-FABLE-5.md" ,
306+ fetch_step_body ,
307+ "CI should fetch the public pinned source directly, matching the release checklist" ,
308+ )
309+ self .assertNotIn (
310+ "Authorization: Bearer" ,
311+ fetch_step_body ,
312+ "CI source fetch should not rely on a hand-built Authorization header; malformed quoting can hide curl failures" ,
313+ )
296314 pin_match = re .search (r'PIN="([0-9a-f]{40})"' , workflow )
297315 self .assertIsNotNone (pin_match , "CI workflow must define the pinned upstream SHA" )
298316 assert pin_match is not None # for type checkers
You can’t perform that action at this time.
0 commit comments