diff --git a/.github/workflows/auto-changelog.yml b/.github/workflows/auto-changelog.yml index ceeed77a..9c52b9d3 100644 --- a/.github/workflows/auto-changelog.yml +++ b/.github/workflows/auto-changelog.yml @@ -14,4 +14,4 @@ jobs: - name: Draft Release uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6 env: - CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/auto-versioning.yml b/.github/workflows/auto-versioning.yml index 1a88dc73..b63a5e4b 100644 --- a/.github/workflows/auto-versioning.yml +++ b/.github/workflows/auto-versioning.yml @@ -68,7 +68,7 @@ jobs: # Export the tag for downstream steps echo "tag=${TAG}" >> $GITHUB_OUTPUT env: - CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Determine tag id: determine_tag @@ -89,14 +89,14 @@ jobs: run: | TAG=${{ steps.determine_tag.outputs.tag }} echo "Checking for release for tag: ${TAG}" - STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${CHARON_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true + STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${GITHUB_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true if [ "${STATUS}" = "200" ]; then echo "exists=true" >> $GITHUB_OUTPUT else echo "exists=false" >> $GITHUB_OUTPUT fi env: - CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Create GitHub Release (tag-only, no workspace changes) if: ${{ steps.semver.outputs.changed == 'true' && steps.check_release.outputs.exists == 'false' }} diff --git a/.github/workflows/propagate-changes.yml b/.github/workflows/propagate-changes.yml index de3b3b4d..76f041ca 100644 --- a/.github/workflows/propagate-changes.yml +++ b/.github/workflows/propagate-changes.yml @@ -157,5 +157,5 @@ jobs: } } env: - CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CPMP_TOKEN: ${{ secrets.CPMP_TOKEN }} diff --git a/.github/workflows/release-goreleaser.yml b/.github/workflows/release-goreleaser.yml index 5af129e8..a6f46f45 100644 --- a/.github/workflows/release-goreleaser.yml +++ b/.github/workflows/release-goreleaser.yml @@ -13,10 +13,10 @@ jobs: goreleaser: runs-on: ubuntu-latest env: - # Use the built-in CHARON_TOKEN by default for GitHub API operations. - # If you need to provide a PAT with elevated permissions, add a CHARON_TOKEN secret + # Use the built-in GITHUB_TOKEN by default for GitHub API operations. + # If you need to provide a PAT with elevated permissions, add a GITHUB_TOKEN secret # at the repo or organization level and update the env here accordingly. - CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 @@ -47,7 +47,7 @@ jobs: with: version: 0.13.0 - # CHARON_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN + # GITHUB_TOKEN is set from GITHUB_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN - name: Run GoReleaser diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index efab03ed..e081ecbd 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -20,10 +20,10 @@ jobs: fetch-depth: 1 - name: Choose Renovate Token run: | - # Prefer explicit tokens (CHARON_TOKEN > CPMP_TOKEN) if provided; otherwise use the default GITHUB_TOKEN - if [ -n "${{ secrets.CHARON_TOKEN }}" ]; then - echo "Using CHARON_TOKEN" >&2 - echo "GITHUB_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV + # Prefer explicit tokens (GITHUB_TOKEN > CPMP_TOKEN) if provided; otherwise use the default GITHUB_TOKEN + if [ -n "${{ secrets.GITHUB_TOKEN }}" ]; then + echo "Using GITHUB_TOKEN" >&2 + echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV else echo "Using default GITHUB_TOKEN from Actions" >&2 echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV @@ -32,7 +32,7 @@ jobs: - name: Fail-fast if token not set run: | if [ -z "${{ env.GITHUB_TOKEN }}" ]; then - echo "ERROR: No Renovate token provided. Set CHARON_TOKEN, CPMP_TOKEN, or rely on default GITHUB_TOKEN." >&2 + echo "ERROR: No Renovate token provided. Set GITHUB_TOKEN, CPMP_TOKEN, or rely on default GITHUB_TOKEN." >&2 exit 1 fi diff --git a/.github/workflows/renovate_prune.yml b/.github/workflows/renovate_prune.yml index 7089e435..23a0a9ba 100644 --- a/.github/workflows/renovate_prune.yml +++ b/.github/workflows/renovate_prune.yml @@ -24,17 +24,17 @@ jobs: steps: - name: Choose GitHub Token run: | - if [ -n "${{ secrets.CHARON_TOKEN }}" ]; then - echo "Using CHARON_TOKEN" >&2 - echo "CHARON_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV + if [ -n "${{ secrets.GITHUB_TOKEN }}" ]; then + echo "Using GITHUB_TOKEN" >&2 + echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV else echo "Using CPMP_TOKEN fallback" >&2 - echo "CHARON_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV + echo "GITHUB_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV fi - name: Prune renovate branches uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: - github-token: ${{ env.CHARON_TOKEN }} + github-token: ${{ env.GITHUB_TOKEN }} script: | const owner = context.repo.owner; const repo = context.repo.repo; diff --git a/docs/beta_release_draft_pr.md b/docs/beta_release_draft_pr.md index 2b85b70d..5cd71535 100644 --- a/docs/beta_release_draft_pr.md +++ b/docs/beta_release_draft_pr.md @@ -7,7 +7,7 @@ This draft PR merges recent beta preparation changes from `feature/beta-release` ## Changes Included 1. Workflow Token Updates - - Prefer `CHARON_TOKEN` with `CPMP_TOKEN` as a fallback to maintain backward compatibility. + - Prefer `GITHUB_TOKEN` with `CPMP_TOKEN` as a fallback to maintain backward compatibility. - Ensured consistent secret reference across `release.yml` and `renovate_prune.yml`. 2. Release Workflow Adjustments - Fixed environment variable configuration for release publication. @@ -68,7 +68,7 @@ This draft PR merges recent beta preparation changes from `feature/beta-release` Marking this as a DRAFT to allow review of token changes before merge. Please: -- Confirm `CHARON_TOKEN` (or `CPMP_TOKEN` fallback) exists in repo secrets. +- Confirm `GITHUB_TOKEN` (or `CPMP_TOKEN` fallback) exists in repo secrets. - Review for any missed workflow references. --- diff --git a/docs/beta_release_draft_pr_body_snapshot.md b/docs/beta_release_draft_pr_body_snapshot.md index 90dd1be2..caa474c0 100644 --- a/docs/beta_release_draft_pr_body_snapshot.md +++ b/docs/beta_release_draft_pr_body_snapshot.md @@ -6,7 +6,7 @@ This draft PR merges recent beta preparation changes from `feature/beta-release` ## Changes Included (Summary) -- Workflow token migration: prefer `CHARON_TOKEN` (fallback `CPMP_TOKEN`) across release and maintenance workflows. +- Workflow token migration: prefer `GITHUB_TOKEN` (fallback `CPMP_TOKEN`) across release and maintenance workflows. - Stabilized release workflow prerelease detection and artifact publication. - Prior (already merged earlier) CI enhancements: pinned action versions, Docker multi-arch debug tooling reliability, dynamic `dlv` binary resolution. - Documentation updates enumerating each incremental workflow/token adjustment for auditability. @@ -21,7 +21,7 @@ Ensures alpha integration branch inherits hardened CI/release pipeline and updat ## Risk & Mitigation -- Secret Name Change: Prefer `CHARON_TOKEN` (keep `CPMP_TOKEN` as a fallback). Mitigation: Verify `CHARON_TOKEN` (or `CPMP_TOKEN`) presence before merge. +- Secret Name Change: Prefer `GITHUB_TOKEN` (keep `CPMP_TOKEN` as a fallback). Mitigation: Verify `GITHUB_TOKEN` (or `CPMP_TOKEN`) presence before merge. - Workflow Fan-out: Reusable workflow path validated locally; CI run (draft) will confirm. ## Follow-ups (Out of Scope) @@ -38,9 +38,9 @@ Ensures alpha integration branch inherits hardened CI/release pipeline and updat ## Requested Review Focus -1. Confirm `CHARON_TOKEN` (or `CPMP_TOKEN` fallback) availability. +1. Confirm `GITHUB_TOKEN` (or `CPMP_TOKEN` fallback) availability. 2. Sanity-check release artifact matrix remains correct. -3. Spot any residual `CHARON_TOKEN` or `CPMP_TOKEN` references missed. +3. Spot any residual `GITHUB_TOKEN` or `CPMP_TOKEN` references missed. --- Generated draft to align branches; will convert to ready-for-review after validation. diff --git a/docs/beta_release_pr_body.md b/docs/beta_release_pr_body.md index e63a4c5f..9cb03a1d 100644 --- a/docs/beta_release_pr_body.md +++ b/docs/beta_release_pr_body.md @@ -6,7 +6,7 @@ Draft PR to merge hardened CI/release workflow changes from `feature/beta-releas ## Highlights -- Secret token migration: prefer `CHARON_TOKEN` while maintaining support for `CPMP_TOKEN` (fallback) where needed. +- Secret token migration: prefer `GITHUB_TOKEN` while maintaining support for `CPMP_TOKEN` (fallback) where needed. - Release workflow refinements: stable prerelease detection (alpha/beta/rc), artifact matrix intact. - Prior infra hardening (already partially merged earlier): pinned GitHub Action SHAs/tags, resilient Delve (`dlv`) multi-arch build handling. - Extensive incremental documentation trail in `docs/beta_release_draft_pr.md` plus concise snapshot in `docs/beta_release_draft_pr_body_snapshot.md` for reviewers. @@ -17,8 +17,8 @@ Most recent snapshot commit: `308ae5dd` (final body content before PR). Full ord ## Review Checklist -- Secret `CHARON_TOKEN` (or `CPMP_TOKEN` fallback) exists and has required scopes. -- No lingering `CHARON_TOKEN` or `CPMP_TOKEN` references beyond allowed GitHub-provided contexts. +- Secret `GITHUB_TOKEN` (or `CPMP_TOKEN` fallback) exists and has required scopes. +- No lingering `GITHUB_TOKEN` or `CPMP_TOKEN` references beyond allowed GitHub-provided contexts. - Artifact list (frontend dist, backend binaries, caddy binaries) still correct for release. ## Risks & Mitigations diff --git a/docs/github-setup.md b/docs/github-setup.md index d56a0149..4cf221d4 100644 --- a/docs/github-setup.md +++ b/docs/github-setup.md @@ -10,7 +10,7 @@ The Docker build workflow uses GitHub Container Registry (GHCR) to store your im ### How It Works -GitHub Actions automatically uses the built-in secret token to authenticate with GHCR. We recommend creating a `CHARON_TOKEN` secret (preferred); workflows currently still work with `CPMP_TOKEN` for backward compatibility. +GitHub Actions automatically uses the built-in secret token to authenticate with GHCR. We recommend creating a `GITHUB_TOKEN` secret (preferred); workflows currently still work with `CPMP_TOKEN` for backward compatibility. - ✅ Push images to `ghcr.io/wikid82/charon` - ✅ Link images to your repository @@ -172,13 +172,13 @@ When you're ready to release a new version: **Problem**: "Error: denied: requested access to the resource is denied" -- **Fix**: This shouldn't happen with `CHARON_TOKEN` or `CPMP_TOKEN` - check workflow permissions +- **Fix**: This shouldn't happen with `GITHUB_TOKEN` or `CPMP_TOKEN` - check workflow permissions - **Verify**: Settings → Actions → General → Workflow permissions → "Read and write permissions" enabled **Problem**: Can't pull the image - **Fix**: Make the package public (see Step 1 above) -- **Or**: Authenticate with GitHub: `echo $CHARON_TOKEN | docker login ghcr.io -u USERNAME --password-stdin` (or `CPMP_TOKEN` for backward compatibility) +- **Or**: Authenticate with GitHub: `echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin` (or `CPMP_TOKEN` for backward compatibility) ### Docs Don't Deploy