From 3e033827814335ea60691cf26111217e8d338d83 Mon Sep 17 00:00:00 2001
From: Micheal Wilkinson <micheal.wilkinson@createfuture.com>
Date: Sat, 21 Mar 2026 13:06:15 +0000
Subject: [PATCH] chore(ci): add preflight token and API checks

---
 .gitea/workflows/do-release.yml | 36 ++++++++++++++++++++++++++++++++-
 decorate-pr/action.yml          | 28 +++++++++++++++++++++++++
 2 files changed, 63 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/do-release.yml b/.gitea/workflows/do-release.yml
index 7c69c7b..956d0d9 100644
--- a/.gitea/workflows/do-release.yml
+++ b/.gitea/workflows/do-release.yml
@@ -52,6 +52,40 @@ jobs:
           cache: true
           cache-dependency-path: go.sum
 
+      - name: Preflight release API access
+        env:
+          REQUESTED_TAG: ${{ inputs.tag }}
+        run: |
+          set -euo pipefail
+
+          if [[ -z "${RELEASE_TOKEN:-}" ]]; then
+            echo "No release token available. Set GITEA_TOKEN (or GITHUB_TOKEN on GitHub)." >&2
+            exit 1
+          fi
+
+          api_base="${GITHUB_API_URL:-${GITHUB_SERVER_URL%/}/api/v1}"
+          repo_api="${api_base}/repos/${GITHUB_REPOSITORY}"
+
+          curl --fail-with-body -sS \
+            -H "Authorization: token ${RELEASE_TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${repo_api}" >/dev/null
+
+          curl --fail-with-body -sS \
+            -H "Authorization: token ${RELEASE_TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${repo_api}/releases?limit=1" >/dev/null
+
+          requested_tag="$(printf '%s' "${REQUESTED_TAG:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
+          if [[ -n "$requested_tag" ]]; then
+            normalized_tag="${requested_tag#v}"
+            tag_ref="refs/tags/v${normalized_tag}"
+            if ! git rev-parse --verify --quiet "$tag_ref" >/dev/null; then
+              echo "Requested tag ${tag_ref#refs/tags/} was not found in the checked out repository." >&2
+              exit 1
+            fi
+          fi
+
       - name: Create or update release
         id: publish
         uses: ./publish
@@ -177,7 +211,7 @@ jobs:
 
       - name: Download released binary
         env:
-          TOKEN: ${{ github.token }}
+          TOKEN: ${{ secrets.GITHUB_TOKEN || secrets.GITEA_TOKEN }}
           TAG_NAME: ${{ needs.release.outputs.tag }}
           RELEASE_VERSION: ${{ needs.release.outputs.version }}
           ASSET_ARCH: ${{ matrix.asset_arch }}
diff --git a/decorate-pr/action.yml b/decorate-pr/action.yml
index ec5191c..193ef99 100644
--- a/decorate-pr/action.yml
+++ b/decorate-pr/action.yml
@@ -64,6 +64,34 @@ runs:
 
         printf 'pr_number=%s\n' "$PR_NUMBER" >> "$GITHUB_OUTPUT"
 
+    - name: Preflight comment API access
+      id: preflight
+      shell: bash
+      env:
+        AUTH_TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
+        PR_NUMBER: ${{ steps.validate.outputs.pr_number }}
+        SERVER_URL: ${{ github.server_url }}
+        REPOSITORY: ${{ github.repository }}
+      run: |
+        set -euo pipefail
+
+        if [[ -z "$AUTH_TOKEN" ]]; then
+          echo "No token available for PR comment API calls. Set input token or provide workflow token." >&2
+          exit 1
+        fi
+
+        api_url="${SERVER_URL}/api/v1"
+        if [[ "$SERVER_URL" == *"github.com"* ]]; then
+          api_url="https://api.github.com"
+        fi
+
+        comments_url="${api_url}/repos/${REPOSITORY}/issues/${PR_NUMBER}/comments"
+
+        curl --fail-with-body -sS \
+          -H "Authorization: Bearer ${AUTH_TOKEN}" \
+          -H "Content-Type: application/json" \
+          "$comments_url" >/dev/null
+
     - name: Extract changelog unreleased entries
       id: extract-changelog
       shell: bash