fix: Use MANIFEST_REPO_PAT for supersede detection API calls #210
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ction The automatic GITHUB_TOKEN only has access to the repository running the workflow. For supersede detection, we need to query the manifest repository (kube-manifests or service repo) using the GitHub Compare API. MANIFEST_REPO_PAT is a PAT with cross-repo access that's already used for pushing to the manifest repository, so it has the necessary permissions to query commit ancestry. This fixes the 404 errors: "Not Found (HTTP 404)" when checking commit ancestry for supersede detection. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
brroMonta
approved these changes
Jan 15, 2026
JesperTerkelsen
deleted the
fix/use-manifest-pat-for-supersede-detection
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
FIX: Use MANIFEST_REPO_PAT for GitHub API access in supersede detection to fix 404 errors.
Problem
ArgoCD wait-sync action is failing with 404 errors when checking commit ancestry for supersede detection.
Error Example: https://github.com/monta-app/service-i18n/actions/runs/21032367040/job/60471830591
Error Message:
Root Cause: The automatic
secrets.GITHUB_TOKENonly has access to the repository running the workflow. For supersede detection, the action needs to query the manifest repository (kube-manifests or service repos) using the GitHub Compare API, which requires cross-repo access.Solution
Change from
secrets.GITHUB_TOKENtosecrets.MANIFEST_REPO_PAT:Changes
component-deploy.yml (line 188)
component-deploy-v2.yml (line 198)
Workflows Affected
This fix applies to:
All workflows already pass MANIFEST_REPO_PAT as a required secret, so no changes needed to calling workflows.
Why This Works
secrets.GITHUB_TOKEN: Automatic token, only has access to current reposecrets.MANIFEST_REPO_PAT: Personal Access Token with multi-repo accessactions/checkoutandgithub-push-actionImpact
✅ Fixes 404 errors - Supersede detection can now query manifest repos
✅ No breaking changes - MANIFEST_REPO_PAT is already required
✅ Consistent with existing usage - Same token used for other manifest repo operations
✅ Applies to all deploy workflows - deploy-kotlin, deploy-generic-v2, and all callers
Testing
After merge, supersede detection will work correctly without 404 errors when checking commit ancestry across repositories.
🤖 Generated with Claude Code