fix: correct YAML mappings for workflow secrets and tokens

2025-12-03 05:34:04 +00:00
parent fc1e37f408
commit a776bf6995
6 changed files with 14 additions and 13 deletions
--- a/.github/workflows/auto-changelog.yml
+++ b/.github/workflows/auto-changelog.yml
@@ -14,4 +14,4 @@ jobs:
      - name: Draft Release
        uses: release-drafter/release-drafter@v5
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
--- a/.github/workflows/auto-versioning.yml
+++ b/.github/workflows/auto-versioning.yml
@@ -60,21 +60,21 @@ jobs:
          # Export the tag for downstream steps
          echo "tag=${TAG}" >> $GITHUB_OUTPUT
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}

      - name: Check for existing GitHub Release
        id: check_release
        run: |
          TAG=${{ steps.create_tag.outputs.tag }}
          echo "Checking for release for tag: ${TAG}"
-          STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${GITHUB_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${CHARON_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true
          if [ "${STATUS}" = "200" ]; then
            echo "exists=true" >> $GITHUB_OUTPUT
          else
            echo "exists=false" >> $GITHUB_OUTPUT
          fi
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}

      - name: Create GitHub Release (tag-only, no workspace changes)
        if: ${{ steps.semver.outputs.changed && steps.check_release.outputs.exists == 'false' }}
@@ -84,4 +84,4 @@ jobs:
          name: Release ${{ steps.create_tag.outputs.tag }}
          body: ${{ steps.semver.outputs.release_notes }}
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -42,7 +42,7 @@ jobs:
          name: Go Benchmark
          tool: 'go'
          output-file-path: backend/output.txt
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.CHARON_TOKEN }}
          auto-push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
          # Show alert with commit comment on detection of performance regression
          alert-threshold: '150%'
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -169,7 +169,7 @@ jobs:
        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
        with:
          sarif_file: 'trivy-results.sarif'
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.CHARON_TOKEN }}

      - name: Create summary
        if: steps.skip.outputs.skip_build != 'true'
--- a/.github/workflows/release-goreleaser.yml
+++ b/.github/workflows/release-goreleaser.yml
@@ -13,10 +13,10 @@ jobs:
  goreleaser:
    runs-on: ubuntu-latest
    env:
-      # Use the built-in GITHUB_TOKEN by default for GitHub API operations.
+      # Use the built-in CHARON_TOKEN by default for GitHub API operations.
      # If you need to provide a PAT with elevated permissions, add a CHARON_TOKEN secret
      # at the repo or organization level and update the env here accordingly.
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -47,7 +47,8 @@ jobs:
        with:
          version: 0.13.0

-      # GITHUB_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN
+      # CHARON_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN
+

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v5
--- a/.github/workflows/renovate_prune.yml
+++ b/.github/workflows/renovate_prune.yml
@@ -26,15 +26,15 @@ jobs:
        run: |
          if [ -n "${{ secrets.CHARON_TOKEN }}" ]; then
            echo "Using CHARON_TOKEN" >&2
-            echo "GITHUB_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV
+            echo "CHARON_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV
          else
            echo "Using CPMP_TOKEN fallback" >&2
-            echo "GITHUB_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV
+            echo "CHARON_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV
          fi
      - name: Prune renovate branches
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
-          github-token: ${{ env.GITHUB_TOKEN }}
+          github-token: ${{ env.CHARON_TOKEN }}
          script: |
            const owner = context.repo.owner;
            const repo = context.repo.repo;