fix(ci): give release-plz git credentials for its temp-clone pushes #387

jwilger · 2026-06-12T17:40:55-07:00

jwilger commented

2026-06-12 17:40:55 -07:00

Summary

Follow-up to #386. The release-plz run on main got much further on the ubuntu-24.04 runner but failed at the push step:

fatal: could not read Username for 'https://git.johnwilger.com': No such device or address

release-plz copies the repo to a temp directory and pushes release branches/tags from there over HTTPS. actions/checkout@v6 stores its credentials behind gitdir-scoped includeIf config, which the temp copy does not inherit — so release-plz's pushes have no credentials.

Fix

Port the configure-release-plz-git-auth.sh askpass helper used by the emc repo and source it in the same step that invokes release-plz, in both release-plz.yml (uses RELEASE_PLZ_TOKEN) and publish.yml (uses the actions token).

Notes

During the failed run release-plz closed the stale April release PR #384 itself; the next successful run on main will open a fresh release PR (v0.8.1).
CI/infra only — no library code changes.

## Summary Follow-up to #386. The release-plz run on main got much further on the `ubuntu-24.04` runner but failed at the push step: ``` fatal: could not read Username for 'https://git.johnwilger.com': No such device or address ``` release-plz copies the repo to a temp directory and pushes release branches/tags from there over HTTPS. `actions/checkout@v6` stores its credentials behind gitdir-scoped `includeIf` config, which the temp copy does not inherit — so release-plz's pushes have no credentials. ### Fix Port the `configure-release-plz-git-auth.sh` askpass helper used by the emc repo and source it in the same step that invokes release-plz, in both `release-plz.yml` (uses `RELEASE_PLZ_TOKEN`) and `publish.yml` (uses the actions token). ### Notes - During the failed run release-plz closed the stale April release PR #384 itself; the next successful run on main will open a fresh release PR (v0.8.1). - CI/infra only — no library code changes.

jwilger added 1 commit

2026-06-12 17:40:55 -07:00

fix(ci): give release-plz git credentials for its temp-clone pushes

CI / Detect Changes (pull_request) Successful in 3s

Details

CI / Request auto_review semantic review (pull_request) Successful in 2s

Details

CI / Test (pull_request) Has been skipped

Details

CI / Clippy (pull_request) Has been skipped

Details

CI / Security Audit (pull_request) Has been skipped

Details

auto_review auto_review: 2 warnings

CI / Mutation (pull_request) Has been skipped

Details

CI / Format (pull_request) Successful in 15s

Details

CI / CI Gate (pull_request) Successful in 1s

Details

ea43d71be0

release-plz copies the repository to a temp directory and pushes release
branches and tags from there over HTTPS. actions/checkout@v6 stores its
credentials behind gitdir-scoped includeIf config, which the temp copy
does not inherit, so the push failed with 'could not read Username for
https://git.johnwilger.com' and the release PR was never created.

Port the configure-release-plz-git-auth.sh askpass helper used by the
emc repo and source it in the same step that invokes release-plz in
both the release-pr and publish workflows.

auto-review approved these changes

2026-06-12 17:41:06 -07:00

Dismissed

auto-review left a comment

The changes appear safe to merge, but ensure the script is executable in the CI environment.

Walkthrough

.forgejo/scripts/configure-release-plz-git-auth.sh
- Introduces a script to configure git credentials for release-plz's temporary clones.
- Exports GIT_ASKPASS to provide credentials during git operations.
- Checks if GIT_TOKEN is set before proceeding.
.forgejo/workflows/publish.yml and release-plz.yml
- Sources the new script to ensure git credentials are available for release-plz's operations.
- Sets GIT_TOKEN environment variable to the appropriate token for authentication.

LLM usage and cost

Reasoning (gpt-4o) in=1850 out=376 cost=$0.014890
Cheap (gpt-4o-mini) in=1775 out=82 cost=$0.000315
Estimated total USD: $0.015205 via https://api.openai.com and https://api.openai.com

The changes appear safe to merge, but ensure the script is executable in the CI environment. ## Walkthrough - **.forgejo/scripts/configure-release-plz-git-auth.sh** - Introduces a script to configure git credentials for release-plz's temporary clones. - Exports `GIT_ASKPASS` to provide credentials during git operations. - Checks if `GIT_TOKEN` is set before proceeding. - **.forgejo/workflows/publish.yml** and **release-plz.yml** - Sources the new script to ensure git credentials are available for release-plz's operations. - Sets `GIT_TOKEN` environment variable to the appropriate token for authentication. ## LLM usage and cost - Reasoning (gpt-4o) in=1850 out=376 cost=$0.014890 - Cheap (gpt-4o-mini) in=1775 out=82 cost=$0.000315 Estimated total USD: $0.015205 via https://api.openai.com and https://api.openai.com

.forgejo/workflows/publish.yml

🟡 Warning: Ensure that the configure-release-plz-git-auth.sh script is executable in the CI environment. If not, the script may fail to run, causing the workflow to break.

🟡 **Warning:** Ensure that the `configure-release-plz-git-auth.sh` script is executable in the CI environment. If not, the script may fail to run, causing the workflow to break.

jwilger requested review from auto-review

2026-06-12 17:46:44 -07:00

jwilger reviewed

2026-06-12 17:48:08 -07:00

.forgejo/workflows/publish.yml Outdated

					
				@ -53,7 +53,12 @@ jobs:

				        env:

				          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}

				          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

				          GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Should this not also be the RELEASE_PLZ_TOKEN?

Should this not *also* be the RELEASE_PLZ_TOKEN?

jwilger referenced this pull request from a commit

2026-06-12 17:49:49 -07:00

fix(ci): use RELEASE_PLZ_TOKEN throughout the publish workflow

jwilger added 1 commit

2026-06-12 17:49:49 -07:00

fix(ci): use RELEASE_PLZ_TOKEN throughout the publish workflow

auto_review auto_review: 1 warning

CI / Detect Changes (pull_request) Successful in 3s

Details

CI / Request auto_review semantic review (pull_request) Successful in 2s

Details

CI / Test (pull_request) Has been skipped

Details

CI / Clippy (pull_request) Has been skipped

Details

CI / Security Audit (pull_request) Has been skipped

Details

CI / Mutation (pull_request) Has been skipped

Details

CI / Format (pull_request) Successful in 15s

Details

CI / CI Gate (pull_request) Successful in 1s

Details

bb242e04ee

Review feedback on #387: the publish workflow used the ephemeral actions
token for checkout and for release-plz's git pushes. Use the
RELEASE_PLZ_TOKEN PAT for all of it, matching the release-pr workflow
and the emc repo's release phase — the PAT pushes tags under the bot
identity and would trigger any future tag-driven workflows, which the
actions token deliberately does not.

jwilger dismissed auto-review's review

2026-06-12 17:49:49 -07:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

auto-review approved these changes

2026-06-12 17:50:01 -07:00

auto-review left a comment

The PR updates the CI workflow to use RELEASE_PLZ_TOKEN for git operations, addressing credential issues during release-plz runs. Ensure the token has appropriate permissions.

Walkthrough

Δ since `ea43d71`:

Updated .forgejo/workflows/publish.yml to replace GITHUB_TOKEN with RELEASE_PLZ_TOKEN for git operations.
This change aims to fix credential issues encountered during release-plz runs by ensuring the correct token is used for authentication.

LLM usage and cost

Reasoning (gpt-4o) in=1376 out=179 cost=$0.009565
Cheap (gpt-4o-mini) in=1136 out=100 cost=$0.000230
Estimated total USD: $0.009795 via https://api.openai.com and https://api.openai.com

The PR updates the CI workflow to use `RELEASE_PLZ_TOKEN` for git operations, addressing credential issues during release-plz runs. Ensure the token has appropriate permissions. ## Walkthrough ### Δ since ea43d71: - Updated `.forgejo/workflows/publish.yml` to replace `GITHUB_TOKEN` with `RELEASE_PLZ_TOKEN` for git operations. - This change aims to fix credential issues encountered during release-plz runs by ensuring the correct token is used for authentication. ## LLM usage and cost - Reasoning (gpt-4o) in=1376 out=179 cost=$0.009565 - Cheap (gpt-4o-mini) in=1136 out=100 cost=$0.000230 Estimated total USD: $0.009795 via https://api.openai.com and https://api.openai.com

.forgejo/workflows/publish.yml

🟡 Warning: Ensure that the RELEASE_PLZ_TOKEN has the necessary permissions for all operations previously covered by GITHUB_TOKEN, especially if there are differences in scope or permissions between these tokens.

🟡 **Warning:** Ensure that the `RELEASE_PLZ_TOKEN` has the necessary permissions for all operations previously covered by `GITHUB_TOKEN`, especially if there are differences in scope or permissions between these tokens.

jwilger reviewed

2026-06-12 17:50:04 -07:00

jwilger left a comment

Addressed review feedback in bb242e0.

Addressed review feedback in bb242e0.

.forgejo/workflows/publish.yml

The script is sourced with . rather than executed, so the executable bit is not required at runtime — but it is committed with mode 100755 anyway (git ls-files -s shows 100755), so direct execution would also work.

The script is sourced with `.` rather than executed, so the executable bit is not required at runtime — but it is committed with mode 100755 anyway (`git ls-files -s` shows 100755), so direct execution would also work.

.forgejo/workflows/publish.yml

					
				@ -54,2 +54,3 @@

				          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}

				          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

				          GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_TOKEN }}

				          GIT_TOKEN: ${{ secrets.RELEASE_PLZ_TOKEN }}

Agreed — switched the checkout token, GITHUB_TOKEN, and GIT_TOKEN in this workflow to RELEASE_PLZ_TOKEN in bb242e0, matching the release-pr workflow and emc's release phase. The PAT pushes tags under the bot identity and would trigger any future tag-driven workflows, which the ephemeral actions token deliberately does not.

Agreed — switched the checkout token, GITHUB_TOKEN, and GIT_TOKEN in this workflow to RELEASE_PLZ_TOKEN in bb242e0, matching the release-pr workflow and emc's release phase. The PAT pushes tags under the bot identity and would trigger any future tag-driven workflows, which the ephemeral actions token deliberately does not.

jwilger commented

2026-06-12 17:54:54 -07:00

@auto-review re-review

auto-review commented

2026-06-12 17:54:55 -07:00

Queued a forced review at bb242e04ee. This intentionally bypasses CI gating; watch the commit-status badge for progress.

Queued a forced review at bb242e04eea11370538c03e75349b68fbb078e8a. This intentionally bypasses CI gating; watch the commit-status badge for progress.

auto-review approved these changes

2026-06-12 17:55:01 -07:00

auto-review left a comment

The changes appear safe to merge, with no library code modifications.

Walkthrough

.forgejo/scripts/configure-release-plz-git-auth.sh:
- Introduces a script to set up git credentials for release-plz's temporary clones.
- Uses GIT_ASKPASS to provide credentials, ensuring git operations can proceed without manual input.
- The script is sourced in workflows to apply the credentials.
.forgejo/workflows/publish.yml and release-plz.yml:
- Updated to use RELEASE_PLZ_TOKEN for authentication, aligning with the new script.
- The script is sourced to ensure credentials are available for release-plz's operations.

LLM usage and cost

Reasoning (gpt-4o) in=2282 out=334 cost=$0.016420
Cheap (gpt-4o-mini) in=1833 out=68 cost=$0.000316
Estimated total USD: $0.016736 via https://api.openai.com and https://api.openai.com

The changes appear safe to merge, with no library code modifications. ## Walkthrough - **.forgejo/scripts/configure-release-plz-git-auth.sh**: - Introduces a script to set up git credentials for release-plz's temporary clones. - Uses `GIT_ASKPASS` to provide credentials, ensuring git operations can proceed without manual input. - The script is sourced in workflows to apply the credentials. - **.forgejo/workflows/publish.yml** and **release-plz.yml**: - Updated to use `RELEASE_PLZ_TOKEN` for authentication, aligning with the new script. - The script is sourced to ensure credentials are available for release-plz's operations. ## LLM usage and cost - Reasoning (gpt-4o) in=2282 out=334 cost=$0.016420 - Cheap (gpt-4o-mini) in=1833 out=68 cost=$0.000316 Estimated total USD: $0.016736 via https://api.openai.com and https://api.openai.com

.forgejo/scripts/configure-release-plz-git-auth.sh

					
				@ -0,0 +38,4 @@

				chmod 700 "$askpass_path"

				export GIT_ASKPASS="$askpass_path"

				export GIT_TERMINAL_PROMPT=0

🟡 Warning: Ensure that the configure-release-plz-git-auth.sh script is sourced correctly in all workflows that require it, as missing this step will cause authentication failures during git operations.

🟡 **Warning:** Ensure that the `configure-release-plz-git-auth.sh` script is sourced correctly in all workflows that require it, as missing this step will cause authentication failures during git operations.