From 6a8bc568840b0598d51e0096bacf265b2af52d7e Mon Sep 17 00:00:00 2001 From: "Lindsay (Delilah) W" Date: Wed, 10 Jun 2026 14:54:14 -0400 Subject: [PATCH 1/2] feat(igdb): push game-details refresh as Oliver via app token The commit-back step pushed to main as github-actions[bot], which the main-protection ruleset rejects (PR-only, required checks, verified signatures). Mint an installation token for Oliver, check out with it, and commit as Oliver's bot identity; Oliver is a bypass actor on main-protection, matching the scoped-app-bypass pattern already used by igdb_tagging (Karen) and automated_indexing. Requires OLIVER_APP_ID / OLIVER_PRIVATE_KEY as igdb_env environment secrets and Oliver added as a main-protection bypass actor. Co-Authored-By: Claude Fable 5 --- .github/workflows/igdb-game-details.yml | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/.github/workflows/igdb-game-details.yml b/.github/workflows/igdb-game-details.yml index dcafe8a..a0285a8 100644 --- a/.github/workflows/igdb-game-details.yml +++ b/.github/workflows/igdb-game-details.yml @@ -37,16 +37,29 @@ jobs: game-details: runs-on: ubuntu-latest timeout-minutes: 30 - # Pulls IGDB_CLIENT_ID / IGDB_CLIENT_SECRET from the `igdb_env` - # environment, which is restricted to the `main` branch. PR runs and - # feature-branch dispatches cannot reach the secrets. + # Pulls IGDB_CLIENT_ID / IGDB_CLIENT_SECRET and Oliver's app credentials + # from the `igdb_env` environment, which is restricted to the `main` + # branch and `*igdb*` tags. PR runs and feature-branch dispatches cannot + # reach the secrets. environment: igdb_env steps: + # The push to main below has to clear the `main-protection` ruleset + # (PR-only, required checks, signatures). Oliver is a bypass actor on + # that ruleset, so the push runs on his installation token rather than + # the workflow's GITHUB_TOKEN. + - name: Mint Oliver app token + id: oliver + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.OLIVER_APP_ID }} + private-key: ${{ secrets.OLIVER_PRIVATE_KEY }} + - name: Checkout main uses: actions/checkout@v6 with: fetch-depth: 2 # need parent commit to diff against + token: ${{ steps.oliver.outputs.token }} - name: Set up Python uses: actions/setup-python@v6 @@ -118,12 +131,10 @@ jobs: - name: Commit game details back to main if: steps.detect.outputs.mode != 'none' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -euo pipefail - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git config user.name "oliver-the-multiworld-squirrel[bot]" + git config user.email "281294001+oliver-the-multiworld-squirrel[bot]@users.noreply.github.com" if git diff --quiet output/igdb_game_details.json; then echo "no changes to igdb_game_details.json" From 47195812cd2a9677480089b8c72a327a7c53e355 Mon Sep 17 00:00:00 2001 From: "Lindsay (Delilah) W" Date: Wed, 10 Jun 2026 17:50:54 -0400 Subject: [PATCH 2/2] fixup: use Karen instead of Oliver for the main push Oliver's installation only has contents:read; Karen has contents:write (she already pushes the igdb-pr-* tags). Reuses the existing KAREN_APP_ID var / KAREN_PRIVATE_KEY secret and the same v3 mint step as karen-pr-review.yml, so no new credentials are needed. Co-Authored-By: Claude Fable 5 --- .github/workflows/igdb-game-details.yml | 32 +++++++++++++------------ 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/.github/workflows/igdb-game-details.yml b/.github/workflows/igdb-game-details.yml index a0285a8..07dd24d 100644 --- a/.github/workflows/igdb-game-details.yml +++ b/.github/workflows/igdb-game-details.yml @@ -37,29 +37,31 @@ jobs: game-details: runs-on: ubuntu-latest timeout-minutes: 30 - # Pulls IGDB_CLIENT_ID / IGDB_CLIENT_SECRET and Oliver's app credentials - # from the `igdb_env` environment, which is restricted to the `main` - # branch and `*igdb*` tags. PR runs and feature-branch dispatches cannot - # reach the secrets. + # Pulls IGDB_CLIENT_ID / IGDB_CLIENT_SECRET from the `igdb_env` + # environment, which is restricted to the `main` branch and `*igdb*` + # tags. PR runs and feature-branch dispatches cannot reach the secrets. environment: igdb_env steps: # The push to main below has to clear the `main-protection` ruleset - # (PR-only, required checks, signatures). Oliver is a bypass actor on - # that ruleset, so the push runs on his installation token rather than - # the workflow's GITHUB_TOKEN. - - name: Mint Oliver app token - id: oliver - uses: actions/create-github-app-token@v2 + # (PR-only, required checks, signatures). Karen is the only app with + # contents:write (Oliver is contents:read) and is a bypass actor on + # that ruleset, so the push runs on her installation token rather than + # the workflow's GITHUB_TOKEN. Same mint pattern as karen-pr-review.yml. + - name: Mint Karen's installation token + uses: actions/create-github-app-token@v3 + id: karen_token with: - app-id: ${{ secrets.OLIVER_APP_ID }} - private-key: ${{ secrets.OLIVER_PRIVATE_KEY }} + client-id: ${{ vars.KAREN_APP_ID }} + private-key: ${{ secrets.KAREN_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: ${{ github.event.repository.name }} - name: Checkout main uses: actions/checkout@v6 with: fetch-depth: 2 # need parent commit to diff against - token: ${{ steps.oliver.outputs.token }} + token: ${{ steps.karen_token.outputs.token }} - name: Set up Python uses: actions/setup-python@v6 @@ -133,8 +135,8 @@ jobs: if: steps.detect.outputs.mode != 'none' run: | set -euo pipefail - git config user.name "oliver-the-multiworld-squirrel[bot]" - git config user.email "281294001+oliver-the-multiworld-squirrel[bot]@users.noreply.github.com" + git config user.name "karen-head-of-multiworld-qa[bot]" + git config user.email "281437399+karen-head-of-multiworld-qa[bot]@users.noreply.github.com" if git diff --quiet output/igdb_game_details.json; then echo "no changes to igdb_game_details.json"