ci: continue-on-error for the GC step (403 with current PAT scope)

Run #122 finished green-on-everything-that-matters: indexing,
docker login (REGISTRY_TOKEN fix worked), build + push, and the
package-link API call all succeeded. The image is published with
all four expected tags: latest, c5ed5560fc, corpus-2026.05.24,
a97107de46 (manual earlier push).

Only the final GC step failed with HTTP 403 enumerating
/packages/.../versions — the PAT we use as REGISTRY_TOKEN has
push/pull scope but not the broader package-admin scope needed
to list + delete old versions.

GC is housekeeping, not part of the publish path. Marking it
continue-on-error: true keeps the whole run green so monitoring
can rely on "red = real problem." Both workflows get the same
treatment.

Followup TODO baked into the workflow comments: mint a separate
PAT with admin:package scope and add it as a second secret
(PACKAGES_ADMIN_TOKEN) — then point the GC step at it. Then
remove continue-on-error.

Workflow-only commit, doesn't trigger image-only.yml (path filter
excludes .gitea/**).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-24 16:29:54 -04:00
parent 719cfee2ca
commit 3a279212ef
2 changed files with 10 additions and 0 deletions
+6
View File
@@ -101,6 +101,12 @@ jobs:
esac
- name: Prune old container versions
# GC requires broader scope than REGISTRY_TOKEN's push perms
# (got HTTP 403 enumerating /packages/.../versions on run #122).
# Non-critical — housekeeping only. Don't fail the whole run.
# TODO: issue a separate PAT with admin:package scope and set
# as PACKAGES_ADMIN_TOKEN, then use it here.
continue-on-error: true
env:
GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
run: |
+4
View File
@@ -148,7 +148,11 @@ jobs:
esac
- name: Prune old container versions
# GC requires broader scope than REGISTRY_TOKEN's push perms
# (HTTP 403 on /packages/.../versions). Non-critical housekeeping.
# TODO: issue separate PAT with admin:package scope.
if: steps.commit.outputs.changed == 'true' || inputs.force_build == true
continue-on-error: true
env:
GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
run: |