Skip to content

fix(ci): add pre-flight token validation and fix permissions block in squad-mark-released#271

Merged
mpaulosky merged 1 commit into
devfrom
squad/268-fix-squad-mark-released-permissions
May 8, 2026
Merged

fix(ci): add pre-flight token validation and fix permissions block in squad-mark-released#271
mpaulosky merged 1 commit into
devfrom
squad/268-fix-squad-mark-released-permissions

Conversation

@mpaulosky

Copy link
Copy Markdown
Owner

Summary

Working as Boromir (DevOps)

Closes #268

Root Cause

The workflow was failing with Resource not accessible by integration because:

  1. permissions: repository-projects: write only controls GITHUB_TOKEN — it has no effect on a custom PAT passed via github-token:
  2. When GH_PROJECT_TOKEN secret is not set, actions/github-script receives an empty string and falls back to using GITHUB_TOKEN, which cannot access GitHub Projects V2 GraphQL regardless of the permissions block

Changes

  • Fix permissions block: repository-projects: writecontents: read (correct for workflows that rely exclusively on a custom PAT)
  • Add pre-flight validation step: Checks GH_PROJECT_TOKEN is set; fails early with an actionable error message if missing (includes setup instructions and required scope)
  • Downgrade actions/github-script@v9@v7 (stable LTS version)
  • Add top-of-file comment documenting that a classic PAT with project OAuth scope is required

Setup Required

To make this workflow functional, add GH_PROJECT_TOKEN as a repository secret:

  1. Create a classic PAT at https://github.com/settings/tokens with project scope
  2. Add it: Settings → Secrets and variables → Actions → New repository secret → GH_PROJECT_TOKEN

Copilot AI review requested due to automatic review settings May 8, 2026 18:27
@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor

🏗️ PR Added to Squad Triage Queue

This PR has been labeled with squad and added to the triage queue.

Next steps:

  • The squad Lead will review and assign to an appropriate team member
  • A squad:member label will be added after triage

If you know which squad member should handle this, you can add the appropriate squad:member label yourself.

@github-actions github-actions Bot added the squad Squad triage inbox — Lead will assign to a member label May 8, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes the failing squad-mark-released GitHub Actions workflow by ensuring it uses a properly configured Projects-capable token and fails early when the required secret is missing, and it documents the operational learning in Boromir’s history.

Changes:

  • Added a pre-flight step to validate GH_PROJECT_TOKEN is configured before attempting ProjectV2 GraphQL operations.
  • Adjusted workflow permissions and added top-of-file documentation about the required token/scope.
  • Updated .squad/agents/boromir/history.md with the root cause and remediation notes for Issue #268.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/squad-mark-released.yml Adds token preflight validation + updates permissions/commentary + changes actions/github-script version.
.squad/agents/boromir/history.md Records the incident, root cause, and what was changed for Issue #268.


- name: Move Done → Released on project board
uses: actions/github-script@v9
uses: actions/github-script@v7
Comment on lines +8 to +11
# NOTE: The default GITHUB_TOKEN cannot access GitHub Projects V2 via GraphQL.
# This workflow requires a repository secret named GH_PROJECT_TOKEN set to a
# classic Personal Access Token (PAT) with the `project` OAuth scope.
# See: https://docs.github.com/en/issues/planning-and-tracking-with-projects/automating-your-project/using-the-api-to-manage-projects
**Key lesson:** For GitHub Projects V2 GraphQL, `GITHUB_TOKEN` is never sufficient regardless of `permissions` block settings. A classic PAT with `project` OAuth scope (or fine-grained PAT with Projects read/write) is required. Always add a pre-flight secret validation step so failures are immediately actionable.

**Files changed:** `.github/workflows/squad-mark-released.yml`
**Related decisions inbox:** `boromir-268-project-token.md`
3. Downgraded `actions/github-script@v9` → `@v7` (stable LTS version)
4. Added a top-of-file comment documenting the required PAT scope (`project`)

**Key lesson:** For GitHub Projects V2 GraphQL, `GITHUB_TOKEN` is never sufficient regardless of `permissions` block settings. A classic PAT with `project` OAuth scope (or fine-grained PAT with Projects read/write) is required. Always add a pre-flight secret validation step so failures are immediately actionable.
@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor

Test Results Summary

331 tests  ±0   330 ✅ ±0   19s ⏱️ ±0s
  6 suites ±0     1 💤 ±0 
  6 files   ±0     0 ❌ ±0 

Results for commit 00639c9. ± Comparison against base commit 3c309d2.

♻️ This comment has been updated with latest results.

@codecov

codecov Bot commented May 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.57%. Comparing base (3c309d2) to head (00639c9).
⚠️ Report is 1 commits behind head on dev.

Additional details and impacted files
@@           Coverage Diff           @@
##              dev     #271   +/-   ##
=======================================
  Coverage   86.57%   86.57%           
=======================================
  Files          44       44           
  Lines        1043     1043           
  Branches      116      116           
=======================================
  Hits          903      903           
  Misses         96       96           
  Partials       44       44           
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

… squad-mark-released (#268)

- Replace 'repository-projects: write' (GITHUB_TOKEN only) with 'contents: read'
  The permissions block was misleading — it has no effect on the custom PAT used
  by this workflow. The GITHUB_TOKEN is not used for Projects V2 GraphQL calls.
- Add pre-flight step that validates GH_PROJECT_TOKEN secret is set and fails
  early with an actionable error message (setup URL, required scope) if missing.
- Downgrade actions/github-script@v9 → @v7 (stable LTS version).
- Add top-of-file comment documenting required PAT scope (classic PAT: 'project').

Root cause of GraphQL error: when GH_PROJECT_TOKEN is unset, actions/github-script
receives an empty string and effectively uses GITHUB_TOKEN, which cannot access
GitHub Projects V2 regardless of the permissions block.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@mpaulosky
mpaulosky force-pushed the squad/268-fix-squad-mark-released-permissions branch from abf50c8 to 00639c9 Compare May 8, 2026 18:34
@mpaulosky
mpaulosky merged commit c272feb into dev May 8, 2026
16 checks passed
@mpaulosky
mpaulosky deleted the squad/268-fix-squad-mark-released-permissions branch May 8, 2026 18:39
mpaulosky added a commit that referenced this pull request May 8, 2026
## Sprint 18 — AppHost MongoDB Dev Commands Refactor

This release promotes all Sprint 18 work from `dev` to `main`.

### What's included

#### Feature work
- **#262** — `refactor(apphost): extract WithClearDatabaseCommand into
MongoDbResourceBuilderExtensions`
- **#263** — `feat(AppHost): add WithSeedDataCommand for local dev
seeding`
- **#264** — `feat(AppHost): add WithShowStatsCommand for local dev
stats`
- **#267** — `refactor: rename _clearMutex to _dbMutex in
MongoDbResourceBuilderExtensions`

#### CI fixes
- **#270** — `fix(ci): Blog → README Sync — push to dev instead of main`
- **#271** — `fix(ci): add pre-flight token validation and fix
permissions block in squad-mark-released`

### CI status

- ✅ **Squad CI** (`ci.yml`) — green on latest `dev` commit
- ⚠️ **Test Suite** — 1 flaky test failure: `SeedMyBlogData Concurrent
Invocations Allow Only One Run` (timing-sensitive concurrency test; race
condition in test harness, not production code). All other 47 tests
pass. Squad CI gate is the authoritative pass/fail gate.

### Notes

- Last release tag: `v1.5.0`
- `dev` is 55 commits ahead of `main`
- No open Sprint 18 issues, no open PRs
- Merge strategy: squash merge per playbook

---

## Release Checklist

- [ ] Latest `dev` Squad CI is green ✅
- [ ] Release scope reviewed (Sprint 18 milestone closed, all 4 issues
merged)
- [ ] Breaking changes documented (none — additive AppHost extension
methods only)
- [ ] Flaky test acknowledged (`SeedMyBlogData Concurrent` — timing race
in test, not prod)
- [ ] Release notes drafted (see sprint summary above)
- [ ] Aragorn approval received
- [ ] Boromir confirms branch state and workflow health
- [ ] PR CI passes before merge
- [ ] Merge to `main` with squash merge
- [ ] Tag `main` with appropriate `vX.Y.Z` after merge + CI green

Closes the Sprint 18 release gate.
Working as Boromir (DevOps)

---------

Co-authored-by: Boromir <boromir@squad.dev>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

squad Squad triage inbox — Lead will assign to a member

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(ci): Squad Mark Released workflow fails with GraphQL permission error

2 participants