ci(release): authenticate arduino/setup-protoc with GITHUB_TOKEN#31
Merged
Conversation
arduino/setup-protoc calls the GitHub releases API to fetch the protoc binary. Without an explicit repo-token it uses the per-IP unauthenticated quota (~60/hr), which is shared with every other runner on the same egress IP and routinely exhausted on the ubuntu-/macos-/windows-latest pools. Both the v0.3.0 (run 24506528329) and v0.5.0 (run 25060322954) release workflows died at this step within seconds with "API rate limit exceeded for <ip>". Passing repo-token makes the action authenticate as the workflow, lifting it onto our 5,000/hr token quota. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 task
Nic-dorman
added a commit
that referenced
this pull request
May 13, 2026
* ci: authenticate arduino/setup-protoc on ci.yml too Mirrors PR #31's release.yml fix — without `repo-token`, the action issues the GitHub release-list API call anonymously and shares the ~60/hr per-IP quota with every other runner on the same egress IP. release.yml has had the auth since 2026-04-28; ci.yml didn't, and PR #57's post-merge CI run flaked here on 2026-05-06 (run 25447450352 job 'API contract tests (antd-rust)' — exact `arduino/setup-protoc@v3 ... API rate limit exceeded` message reproduced from PR #31's investigation). Adds `repo-token: \${{ secrets.GITHUB_TOKEN }}` to both occurrences in ci.yml — the Check (antd) job at line 33 and the API contract tests job at line 75. No semantic change to either workflow; just shifts the action onto our 5,000/hr token quota. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(antd, antd-go): external-signer single-chunk publish Adds `POST /v1/chunks/prepare` + `POST /v1/chunks/finalize` to the antd REST surface and `PrepareChunkUpload` + `FinalizeChunkUpload` to antd-go, giving external signers a way to publish a single chunk paid through their own EVM wallet rather than the daemon's. ## antd (Rust) - `state.rs`: new `pending_chunks: Mutex<HashMap<String, TimestampedChunk>>` map alongside `pending_uploads`, with matching `cleanup_stale_chunks`. Single periodic cleanup task in `main.rs` now sweeps both. - `types.rs`: `PrepareChunkRequest/Response` + `FinalizeChunkRequest/Response`. Response uses `skip_serializing_if` heavily so an already-on-network reply (`already_stored: true`) carries only `address` — no upload_id, no payments. - `rest/chunks.rs::chunk_prepare`: calls `Client::prepare_chunk_payment`, computes the BLAKE3 address up-front (so the already-stored exit can still return it), filters zero-amount quotes from the external-signer payment list, and stashes the PreparedChunk under a fresh upload_id. - `rest/chunks.rs::chunk_finalize`: looks up by upload_id, parses tx_hashes, calls the new `Client::finalize_chunk`, returns the chunk address. Unlike `POST /v1/chunks` (which requires `AUTONOMI_WALLET_KEY` on the daemon), neither new endpoint touches the daemon's wallet — funds flow through the external signer. ## antd-go - New `PrepareChunkResult` type mirroring the response shape. - `PrepareChunkUpload(ctx, content)` + `FinalizeChunkUpload(ctx, uploadID, txHashes)`. - `boolField` helper joins the existing `str`/`num64`/`unum64` helpers. - Three new httptest-backed tests: happy-path prepare, already-stored prepare, finalize round-trip. ## Dep pin `antd/Cargo.toml` pins ant-core to the merge commit of WithAutonomi/ant-client#89 (`c0f6a81`) which adds the `Client::finalize_chunk` primitive this PR consumes. The pin should be bumped to a tag once ant-core cuts a release containing that commit; the rev pin keeps reproducibility in the meantime. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * style: cargo fmt fixes for chunks prepare/finalize --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Nic-dorman
added a commit
that referenced
this pull request
May 14, 2026
Mirrors PR #31's release.yml fix — without `repo-token`, the action issues the GitHub release-list API call anonymously and shares the ~60/hr per-IP quota with every other runner on the same egress IP. release.yml has had the auth since 2026-04-28; ci.yml didn't, and PR #57's post-merge CI run flaked here on 2026-05-06 (run 25447450352 job 'API contract tests (antd-rust)' — exact `arduino/setup-protoc@v3 ... API rate limit exceeded` message reproduced from PR #31's investigation). Adds `repo-token: \${{ secrets.GITHUB_TOKEN }}` to both occurrences in ci.yml — the Check (antd) job at line 33 and the API contract tests job at line 75. No semantic change to either workflow; just shifts the action onto our 5,000/hr token quota. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Both v0.3.0 and v0.5.0 release workflow runs failed within ~10 s on the
arduino/setup-protoc@v3step with:The action calls the GitHub releases API to fetch the protoc binary and, without an explicit
repo-token, uses the per-IP unauthenticated quota (~60/hr). That quota is shared with every other workflow on the same hosted-runner egress IP and routinely exhausted on the macOS/Linux/Windows pools.Passing
repo-token: ${{ secrets.GITHUB_TOKEN }}makes the action authenticate as the workflow, lifting it onto our 5,000/hr token quota.Reproductions
The v0.4.0 release succeeded only because it happened to fall in a window when the runner pool's IP wasn't exhausted; we keep getting unlucky.
Test plan
🤖 Generated with Claude Code