fix(ci): unblock packaging dry-run and /ok-to-test startup failures#1128
Conversation
Two unrelated CI workflows were broken on main: - packaging.yaml's GoReleaser Dry Run step did not provide HOMEBREW_DEPLOY_KEY, so the brews template references to .Env.HOMEBREW_DEPLOY_KEY in .goreleaser.yaml failed with "map has no entry for key". Inject an empty string placeholder; publish is skipped so the value is never used. - ok-to-test.yaml could not start the called qualification.yaml workflow because cli-e2e and security-scan declare id-token: write and security-events: write. GitHub validates the union of permissions at workflow startup, before `if: inputs.privileged_ci` gating evaluates, so the run failed with startup_failure. Declare the permissions on the reusable-workflow call; the gated jobs are still skipped on the fork path (privileged_ci: false), so no fork-controlled code ever executes with elevated tokens.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR updates two GitHub Actions workflow files with configuration clarifications and new permission declarations. The Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Coverage Report ✅
Coverage BadgeNo Go source files changed in this PR. |
Summary
Two unrelated CI workflows have been failing on main and are fixed here together.
packaging.yaml) — failed after PR refactor(server): merge pkg/api into pkg/server, drop legacy direct handlers #1127 because the dry-run step did not setHOMEBREW_DEPLOY_KEY, so the brews template references to.Env.HOMEBREW_DEPLOY_KEYin.goreleaser.yamlblew up withtemplate: failed to apply "{{ .Env.HOMEBREW_DEPLOY_KEY }}": map has no entry for key "HOMEBREW_DEPLOY_KEY". Fixed by injecting an empty placeholder; publish is skipped so the value is never consumed. The real secret is still provided by the release workflow inon-tag.yaml.ok-to-test.yaml) — has been failing withstartup_failureon everyissue_commenttrigger since PRs refactor(ci): make /ok-to-test's unprivileged status explicit via privileged_ci input #1064 / fix(ci): drop privileged grants from /ok-to-test fork path #1067. Root cause: GitHub validates the union of permissions declared by every job in the called workflow at workflow startup, beforeif:conditions evaluate.qualification.yaml'scli-e2edeclaresid-token: writeandsecurity-scandeclaressecurity-events: write, but the caller granted neither. Even though both jobs are gated byif: inputs.privileged_ci=false, the run never gets that far. Fixed by declaring those permissions on the reusable-workflow call; the gated jobs are still skipped on the fork path, so no fork-controlled code ever executes with elevated tokens.Motivation/Context
The Packaging Check failure was visible in https://github.com/NVIDIA/aicr/actions/runs/26692166497 right after PR #1127 merged (any push to main touching
.goreleaser.yamltriggers it). The OK to Test failure is older — 100+ consecutivestartup_failureruns going back to 2026-05-28 (see https://github.com/NVIDIA/aicr/actions/runs/26691845494). Both are pre-existing latent issues exposed by recent changes; this PR clears them.Type of Change
Components Affected
.github/workflows/packaging.yaml,.github/workflows/ok-to-test.yaml)Implementation Notes
ok-to-test.yamlchange documents in-line why "deliberately withheld" permissions (per PR fix(ci): drop privileged grants from /ok-to-test fork path #1067) cannot actually be withheld at the workflow-call level once the reusable workflow declares them on any job. Security intent is preserved by theif: inputs.privileged_ciruntime gating, which keeps fork-controlled code from running with the declared tokens.packaging.yamlchange keeps the fix minimal and CI-local rather than complicating the goreleaser template for production releases.Testing
actionlintandyamllintclean on both modified files.HOMEBREW_DEPLOY_KEY=""letsgoreleaser release --snapshot --clean --skip=publish,sbomget past template evaluation and write the brew formula (final local-only failures were unrelated gcloud/docker sandbox issues, not present in CI)..goreleaser.yamlshould keep Packaging Check green, and the next/ok-to-testcomment on any PR should authorize and dispatch the qualification suite.Risk Assessment
Low. CI-only configuration changes. No application code or release artifacts affected.
Checklist
actionlintandyamllint-S)