ci(coverage): push refreshed map via GitHub App token (ruleset bypass)#1465
Merged
sbryngelson merged 1 commit intoMay 30, 2026
Merged
Conversation
The default CACHE_PUSH_TOKEN could not push to master: the master repository ruleset requires PRs, and its bypass list only honors org-admins / repo-admin-role (not fine-grained PATs). Mint a short-lived installation token from the mfc-map-bot GitHub App (contents:write), which is now an Integration bypass actor on that ruleset, and push with it via actions/create-github-app-token@v3.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The post-merge
coverage-refreshrun proved the full pipeline works except the final push:git commit --no-verifysucceeded, but the push to master was rejected:The master repository ruleset requires PRs, and its bypass list only honors org-admins and the repo Admin role — not the fine-grained PAT behind
CACHE_PUSH_TOKEN. Token permissions were never the issue; ruleset bypass identity is.Fix
Use a dedicated GitHub App (
mfc-map-bot,contents:write) as the push identity:actions/create-github-app-token@v3(secretsMAP_BOT_APP_ID+MAP_BOT_APP_PRIVATE_KEY, already configured) and pushes with it.Unlike a personal PAT, this identity doesn't expire and isn't tied to a person.
Verification plan
After merge, dispatch
coverage-refreshonce: the SLURM collect +--no-verifycommit are already verified green; this run should finally land amfc-map-bot[bot]test: refresh coverage map [skip ci]commit on master.CACHE_PUSH_TOKENis now unused and can be deleted as a follow-up.