From 3a279212ef2828a58882dcb497e0dd0fa629555a Mon Sep 17 00:00:00 2001 From: Justin Paul Date: Sun, 24 May 2026 16:29:54 -0400 Subject: [PATCH] ci: continue-on-error for the GC step (403 with current PAT scope) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Run #122 finished green-on-everything-that-matters: indexing, docker login (REGISTRY_TOKEN fix worked), build + push, and the package-link API call all succeeded. The image is published with all four expected tags: latest, c5ed5560fc2f, corpus-2026.05.24, a97107de4636 (manual earlier push). Only the final GC step failed with HTTP 403 enumerating /packages/.../versions — the PAT we use as REGISTRY_TOKEN has push/pull scope but not the broader package-admin scope needed to list + delete old versions. GC is housekeeping, not part of the publish path. Marking it continue-on-error: true keeps the whole run green so monitoring can rely on "red = real problem." Both workflows get the same treatment. Followup TODO baked into the workflow comments: mint a separate PAT with admin:package scope and add it as a second secret (PACKAGES_ADMIN_TOKEN) — then point the GC step at it. Then remove continue-on-error. Workflow-only commit, doesn't trigger image-only.yml (path filter excludes .gitea/**). Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitea/workflows/image-only.yml | 6 ++++++ .gitea/workflows/refresh.yml | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/.gitea/workflows/image-only.yml b/.gitea/workflows/image-only.yml index 6c91d9b..effb08c 100644 --- a/.gitea/workflows/image-only.yml +++ b/.gitea/workflows/image-only.yml @@ -101,6 +101,12 @@ jobs: esac - name: Prune old container versions + # GC requires broader scope than REGISTRY_TOKEN's push perms + # (got HTTP 403 enumerating /packages/.../versions on run #122). + # Non-critical — housekeeping only. Don't fail the whole run. + # TODO: issue a separate PAT with admin:package scope and set + # as PACKAGES_ADMIN_TOKEN, then use it here. + continue-on-error: true env: GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: | diff --git a/.gitea/workflows/refresh.yml b/.gitea/workflows/refresh.yml index 4ea4894..61a899b 100644 --- a/.gitea/workflows/refresh.yml +++ b/.gitea/workflows/refresh.yml @@ -148,7 +148,11 @@ jobs: esac - name: Prune old container versions + # GC requires broader scope than REGISTRY_TOKEN's push perms + # (HTTP 403 on /packages/.../versions). Non-critical housekeeping. + # TODO: issue separate PAT with admin:package scope. if: steps.commit.outputs.changed == 'true' || inputs.force_build == true + continue-on-error: true env: GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: |