Skip to content

Commit 433a959

Browse files
davida-psdavida-ps
authored
fix(wiki-sync): use single x-access-token auth path (#78)
1 parent c17931d commit 433a959

1 file changed

Lines changed: 15 additions & 7 deletions

File tree

.github/workflows/wiki-sync.yml

Lines changed: 15 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -44,21 +44,29 @@ jobs:
4444
fi
4545
cp wiki/INDEX.md wiki/Home.md
4646
47-
# PAT auth for Git over HTTPS expects the token owner's login as username.
48-
# Resolve it dynamically so the same flow works for PAT-based automation tokens.
49-
TOKEN_USER="$(curl -fsSL -H "Authorization: Bearer ${AUTOMATION_TOKEN}" -H "Accept: application/vnd.github+json" https://api.github.com/user | jq -r '.login // empty' || true)"
50-
if [ -z "$TOKEN_USER" ] || [ "$TOKEN_USER" = "null" ]; then
51-
echo "::error::Unable to resolve token owner for POLL_NVD_CVES_PAT. Ensure it is a valid PAT with repo access."
47+
REPO_API_JSON="$(mktemp)"
48+
REPO_API_STATUS="$(curl -sS -o "$REPO_API_JSON" -w "%{http_code}" -H "Authorization: Bearer ${AUTOMATION_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${{ github.repository }}")"
49+
if [ "$REPO_API_STATUS" = "401" ]; then
50+
echo "::error::POLL_NVD_CVES_PAT is invalid/expired, or not SSO-authorized for this org."
51+
exit 1
52+
fi
53+
if [ "$REPO_API_STATUS" = "404" ]; then
54+
echo "::error::POLL_NVD_CVES_PAT cannot access ${{ github.repository }}."
55+
exit 1
56+
fi
57+
if [ "$REPO_API_STATUS" != "200" ]; then
58+
REPO_API_MESSAGE="$(jq -r '.message // empty' "$REPO_API_JSON" || true)"
59+
echo "::error::Unexpected GitHub API response (${REPO_API_STATUS}) while validating token. ${REPO_API_MESSAGE}"
5260
exit 1
5361
fi
5462
55-
REPO_PUSH_PERMISSION="$(curl -fsSL -H "Authorization: Bearer ${AUTOMATION_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${{ github.repository }}" | jq -r '.permissions.push // false' || true)"
63+
REPO_PUSH_PERMISSION="$(jq -r '.permissions.push // false' "$REPO_API_JSON" || true)"
5664
if [ "$REPO_PUSH_PERMISSION" != "true" ]; then
5765
echo "::error::POLL_NVD_CVES_PAT cannot push to ${{ github.repository }}. Grant Contents: write (fine-grained PAT) or repo scope (classic PAT), and ensure org approval/SSO authorization if required."
5866
exit 1
5967
fi
6068
61-
WIKI_REMOTE="https://${TOKEN_USER}:${AUTOMATION_TOKEN}@github.com/${{ github.repository }}.wiki.git"
69+
WIKI_REMOTE="https://x-access-token:${AUTOMATION_TOKEN}@github.com/${{ github.repository }}.wiki.git"
6270
if ! git ls-remote "$WIKI_REMOTE" >/dev/null 2>&1; then
6371
echo "::warning::Wiki remote unavailable (repository wiki may be disabled). Skipping sync."
6472
exit 0

0 commit comments

Comments
 (0)