fix: resolve WinGet fork-user from token owner; add workflow_dispatch

[spoorcc]

The WinGet publish workflow was failing with:
Could not resolve to a Repository with the name 'dfetch-org/winget-pkgs'

Root cause: winget-releaser defaulted fork-user to the repository owner
(dfetch-org), but a fine-grained PAT scoped to an organisation cannot
create org-level forks — the fork of microsoft/winget-pkgs therefore
never existed in dfetch-org.

Fix: add a step that calls GET /user with the WINGET_TOKEN to discover
the personal GitHub account that owns the token, then pass that account
as fork-user to winget-releaser. komac will fork winget-pkgs into the
personal account (where the token has full rights) and open the PR from
there — the standard WinGet community pattern.

Also add workflow_dispatch so maintainers can manually re-trigger the
publish for an already-released tag (e.g. to retry 0.14.2 after updating
the token).

Update the token-setup comment: the PAT must be created with the user's
personal account as resource owner, not the DFetch-org organisation.

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_012NwjWMaDcFgUU1UNpQFfY4

Summary by CodeRabbit

• New Features

  • Enabled manual control over release publishing workflow.

• Chores

  • Enhanced release workflow stability and token management for package distribution.

[coderabbitai]

Warning

Review limit reached

@spoorcc, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 45 minutes and 15 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e2662ed9-91f2-445d-988c-6de6fee9a90a

📥 Commits

Reviewing files that changed from the base of the PR and between 7d99549 and d384d9d.

📒 Files selected for processing (1)

• .github/workflows/winget-publish.yml

Walkthrough

The winget-publish.yml workflow gains a workflow_dispatch trigger with a required release-tag input. The publish job condition and concurrency group are updated to handle both release and manual runs. A new step resolves the WinGet fork owner by querying the GitHub API with WINGET_TOKEN, and the result is passed to vedantmgoyal9/winget-releaser as fork-user.

Changes

WinGet Publish Workflow Enhancements

Layer / File(s)	Summary
Manual dispatch trigger, job condition, and concurrency .github/workflows/winget-publish.yml	Adds workflow_dispatch with a required release-tag input; updates the publish job if condition to allow manual runs while still skipping the rolling latest tag; keys the concurrency group off the resolved tag from either github.event.release.tag_name or inputs.release-tag.
Fork owner resolution step and winget-releaser wiring .github/workflows/winget-publish.yml	Adds a step that calls https://api.github.com/user with WINGET_TOKEN to extract the authenticated login and exports it as fork-user; updates the inline comments to document the personal-account requirement; wires release-tag and fork-user into the winget-releaser action invocation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• dfetch-org/dfetch#1263: Introduces the winget-publish.yml workflow and the baseline vedantmgoyal9/winget-releaser invocation that this PR extends with manual dispatch and fork-user resolution.

Suggested labels

development, github_actions

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: resolving the WinGet fork-user from the token owner and adding workflow_dispatch support.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/dfetch-ci-step-4-o3kr0o

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/winget-publish.yml:
- Around line 53-58: The shell command in the run step directly expands the
secrets.WINGET_TOKEN template into the curl command, which is flagged by static
analysis tools. Instead, set the WINGET_TOKEN as an environment variable at the
step level using the env key, then reference that environment variable in the
curl Authorization header (using $WINGET_TOKEN) to follow the recommended
defense-in-depth pattern for handling secrets in shell commands.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9dfbf974-0e54-481d-9366-e06a175adf05

📥 Commits

Reviewing files that changed from the base of the PR and between 8e4a5e3 and 7d99549.

📒 Files selected for processing (1)

• .github/workflows/winget-publish.yml