From 314626f66f97c49640a27f5f6fda4aec965c03a1 Mon Sep 17 00:00:00 2001 From: Spencer Bryngelson Date: Sat, 30 May 2026 14:41:33 -0400 Subject: [PATCH] ci(coverage): disable persist-credentials so the app token is used for the push actions/checkout persists the default GITHUB_TOKEN as an http.extraheader that overrides the app-token credentials embedded in the push URL, so the push authenticated as github-actions[bot] (not a ruleset bypass actor) and was rejected by the require-PR rule. persist-credentials: false lets the mfc-map-bot app token actually be used, so its ruleset bypass applies. This lets the require-PR rule be restored while the bot still pushes the refreshed map. --- .github/workflows/coverage-refresh.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/coverage-refresh.yml b/.github/workflows/coverage-refresh.yml index 319b46549d..eed11aae5a 100644 --- a/.github/workflows/coverage-refresh.yml +++ b/.github/workflows/coverage-refresh.yml @@ -22,8 +22,14 @@ jobs: group: phoenix labels: gt steps: + # persist-credentials: false stops actions/checkout from configuring the + # default GITHUB_TOKEN as an http.extraheader, which otherwise OVERRIDES the + # app-token credentials embedded in the push URL below — making the push + # authenticate as github-actions[bot] (not a ruleset bypass actor) and get + # rejected by the require-PR rule. With it off, the app token is used and the + # mfc-map-bot bypass applies. - uses: actions/checkout@v4 - with: { clean: false } + with: { clean: false, persist-credentials: false } - name: Build + collect coverage map (SLURM) run: bash .github/scripts/submit-slurm-job.sh .github/workflows/common/coverage-refresh.sh cpu none phoenix # Mint a short-lived GitHub App installation token. The app is on the master