ci: continue-on-error for the GC step (403 with current PAT scope)
Run #122 finished green-on-everything-that-matters: indexing, docker login (REGISTRY_TOKEN fix worked), build + push, and the package-link API call all succeeded. The image is published with all four expected tags: latest,c5ed5560fc, corpus-2026.05.24,a97107de46(manual earlier push). Only the final GC step failed with HTTP 403 enumerating /packages/.../versions — the PAT we use as REGISTRY_TOKEN has push/pull scope but not the broader package-admin scope needed to list + delete old versions. GC is housekeeping, not part of the publish path. Marking it continue-on-error: true keeps the whole run green so monitoring can rely on "red = real problem." Both workflows get the same treatment. Followup TODO baked into the workflow comments: mint a separate PAT with admin:package scope and add it as a second secret (PACKAGES_ADMIN_TOKEN) — then point the GC step at it. Then remove continue-on-error. Workflow-only commit, doesn't trigger image-only.yml (path filter excludes .gitea/**). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -101,6 +101,12 @@ jobs:
|
||||
esac
|
||||
|
||||
- name: Prune old container versions
|
||||
# GC requires broader scope than REGISTRY_TOKEN's push perms
|
||||
# (got HTTP 403 enumerating /packages/.../versions on run #122).
|
||||
# Non-critical — housekeeping only. Don't fail the whole run.
|
||||
# TODO: issue a separate PAT with admin:package scope and set
|
||||
# as PACKAGES_ADMIN_TOKEN, then use it here.
|
||||
continue-on-error: true
|
||||
env:
|
||||
GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||
run: |
|
||||
|
||||
@@ -148,7 +148,11 @@ jobs:
|
||||
esac
|
||||
|
||||
- name: Prune old container versions
|
||||
# GC requires broader scope than REGISTRY_TOKEN's push perms
|
||||
# (HTTP 403 on /packages/.../versions). Non-critical housekeeping.
|
||||
# TODO: issue separate PAT with admin:package scope.
|
||||
if: steps.commit.outputs.changed == 'true' || inputs.force_build == true
|
||||
continue-on-error: true
|
||||
env:
|
||||
GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||
run: |
|
||||
|
||||
Reference in New Issue
Block a user