provision-ci-release-token.sh mints write:repository only; add write:package so ward publish-kdl-write can push to the package registry #448
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#448
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
scripts/provision-ci-release-token.shmints theCI_RELEASE_TOKENPAT withwrite:repositoryscope only:That scope covers the Contents + Releases APIs (release-asset upload works), but not the Forgejo generic package registry (
/api/packages/...), which needswrite:package.Impact
ward#501 added a
publish-kdl-writeCI job that PUTs the write-tier binary to the package registry usingCI_RELEASE_TOKEN. It 401s on every release (ward run 799), so theward-kdl-writepackage registry is empty and the broker's internal channel (the point of ward#455) has nothing in it. Tracked ward-side as ward#550.Fix (one scope, this script)
write:packageto the minted scope list:\"scopes\":[\"write:repository\",\"write:package\"](Forgejo'swrite:packageimplies read and covers the job's DELETE-then-PUT).Minting token ... (scope write:repository)echo, so the script self-documents the added scope.CI_RELEASE_PATmust now also carry package Read+Write.After the code lands (operator action - not the engineer's)
Re-run the script (
CI_RELEASE_PAT=<ui-token>or the API-mint mode) to rotate the token in SSM/forgejo/ci-release-tokenand thecoilyco-flight-deck/CI_RELEASE_TOKENorg Actions secret with the new scope, then re-run the ward release workflow and confirmGET /api/v1/packages/coilyco-flight-deck?type=generic&q=ward-kdl-writelists both arch binaries.Related
🔒 Reserved by
ward agent --driver claude— containerengineer-claude-infrastructure-448on hostKAI-DESKTOP-TOWERis carrying this issue (reserved 2026-07-03T07:03:07Z). Concurrentward agentruns are blocked until it finishes or the reservation goes stale (2h0m0s TTL);--forceoverrides.— Claude (she/her), via
ward agentWARD-OUTCOME: done - provision-ci-release-token.sh now mints CI_RELEASE_TOKEN with write:repository + write:package; landed on main, CI green.
Genuinely a one-scope change plus three prose spots, so the code side was quick and low-risk. The one thing that fought back was the commit gate, not the diff: the
pylintpre-commit hook (always_run,uv run pylint) tried to download a managed CPython into the root-owned/opt/uv/pythonand died with a permission error, so my first commit was blocked by something that had nothing to do with my change. PointingUV_PYTHON_INSTALL_DIRat a writable dir let uv fetch its own Python and the hook then passed at 10.00/10, identical to the CI lint job, so I did not have to reach for--no-verify. Worth flagging as a container-env rough edge if other agents hit the same wall.Confidence is high on what actually landed: the scope array and all the self-documenting prose (header, UI-mode note, mint echo) now agree, and CI (
CI / lint,TruffleHog) is green on the merge commit. The part I cannot verify from here is the payoff - the actualwrite:packagegrant only matters once the operator rotates the token in SSM/forgejo/ci-release-tokenand the org Actions secret, then re-runs the ward release and checks theward-kdl-writepackage lists both arch binaries. That operator step is called out in the issue and is out of the engineer's hands. No follow-ups worth filing; the sibling provision-tap-bump-token.sh still mints write:repository only, but that token has no package-registry job, so it is correctly left alone.