chore(ci): add preflight token and API checks

2026-03-21 13:06:15 +00:00
parent 43018ae9ac
commit 3e03382781
2 changed files with 63 additions and 1 deletions
--- a/.gitea/workflows/do-release.yml
+++ b/.gitea/workflows/do-release.yml
@@ -52,6 +52,40 @@ jobs:
          cache: true
          cache-dependency-path: go.sum

+      - name: Preflight release API access
+        env:
+          REQUESTED_TAG: ${{ inputs.tag }}
+        run: |
+          set -euo pipefail
+
+          if [[ -z "${RELEASE_TOKEN:-}" ]]; then
+            echo "No release token available. Set GITEA_TOKEN (or GITHUB_TOKEN on GitHub)." >&2
+            exit 1
+          fi
+
+          api_base="${GITHUB_API_URL:-${GITHUB_SERVER_URL%/}/api/v1}"
+          repo_api="${api_base}/repos/${GITHUB_REPOSITORY}"
+
+          curl --fail-with-body -sS \
+            -H "Authorization: token ${RELEASE_TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${repo_api}" >/dev/null
+
+          curl --fail-with-body -sS \
+            -H "Authorization: token ${RELEASE_TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${repo_api}/releases?limit=1" >/dev/null
+
+          requested_tag="$(printf '%s' "${REQUESTED_TAG:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
+          if [[ -n "$requested_tag" ]]; then
+            normalized_tag="${requested_tag#v}"
+            tag_ref="refs/tags/v${normalized_tag}"
+            if ! git rev-parse --verify --quiet "$tag_ref" >/dev/null; then
+              echo "Requested tag ${tag_ref#refs/tags/} was not found in the checked out repository." >&2
+              exit 1
+            fi
+          fi
+
      - name: Create or update release
        id: publish
        uses: ./publish
@@ -177,7 +211,7 @@ jobs:

      - name: Download released binary
        env:
-          TOKEN: ${{ github.token }}
+          TOKEN: ${{ secrets.GITHUB_TOKEN || secrets.GITEA_TOKEN }}
          TAG_NAME: ${{ needs.release.outputs.tag }}
          RELEASE_VERSION: ${{ needs.release.outputs.version }}
          ASSET_ARCH: ${{ matrix.asset_arch }}
--- a/decorate-pr/action.yml
+++ b/decorate-pr/action.yml
@@ -64,6 +64,34 @@ runs:

        printf 'pr_number=%s\n' "$PR_NUMBER" >> "$GITHUB_OUTPUT"

+    - name: Preflight comment API access
+      id: preflight
+      shell: bash
+      env:
+        AUTH_TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
+        PR_NUMBER: ${{ steps.validate.outputs.pr_number }}
+        SERVER_URL: ${{ github.server_url }}
+        REPOSITORY: ${{ github.repository }}
+      run: |
+        set -euo pipefail
+
+        if [[ -z "$AUTH_TOKEN" ]]; then
+          echo "No token available for PR comment API calls. Set input token or provide workflow token." >&2
+          exit 1
+        fi
+
+        api_url="${SERVER_URL}/api/v1"
+        if [[ "$SERVER_URL" == *"github.com"* ]]; then
+          api_url="https://api.github.com"
+        fi
+
+        comments_url="${api_url}/repos/${REPOSITORY}/issues/${PR_NUMBER}/comments"
+
+        curl --fail-with-body -sS \
+          -H "Authorization: Bearer ${AUTH_TOKEN}" \
+          -H "Content-Type: application/json" \
+          "$comments_url" >/dev/null
+
    - name: Extract changelog unreleased entries
      id: extract-changelog
      shell: bash