Skip to content

Add WINGET_TOKEN preflight to unmask komac's error#150

Merged
michaeljolley merged 1 commit into
mainfrom
michaeljolley-sturdy-chainsaw
Jul 5, 2026
Merged

Add WINGET_TOKEN preflight to unmask komac's error#150
michaeljolley merged 1 commit into
mainfrom
michaeljolley-sturdy-chainsaw

Conversation

@michaeljolley

Copy link
Copy Markdown
Contributor

Problem

winget-publish keeps failing with:

BaldBeardedBuilder.WeatherforCommandPalette does not exist in microsoft/winget-pkgs

But the package does exist at the correct path and casing — manifests/b/BaldBeardedBuilder/WeatherforCommandPalette currently holds versions 1.0.1.0, 1.0.4.0, 1.0.4, 1.2.1.0. komac v2.16.0 collapses every HTTP error on its existence check into that "does not exist" message, so the real cause is hidden. Reading a public repo needs no special scope, so a masked error there almost always means the token is being rejected (401).

You've re-issued WINGET_TOKEN twice and it still fails, so we need to see the actual HTTP status instead of komac's masked message.

What this adds

A preflight step that runs before winget-releaser, using the same WINGET_TOKEN, and prints the ground truth:

  1. GET /user → HTTP status, x-oauth-scopes (classic PATs list scopes here; fine-grained PATs return an empty scopes header), and the authenticated login.
  2. GET the package manifest folder in microsoft/winget-pkgs → HTTP status.
  3. POST /graphql viewer query → HTTP status (komac uses the GraphQL API, so this mirrors it most closely).

It also warns if the secret has surrounding whitespace, and fails fast with actionable guidance if /user or GraphQL returns non-200.

How to use it

Merge this and cut a release (or re-run). The preflight output tells us definitively:

  • /user = 401 → the token value is invalid/expired/mis-pasted.
  • /user = 200 but x-oauth-scopes is empty → it's a fine-grained PAT; komac needs a classic PAT with public_repo.
  • all 200 → the token is fine and we look elsewhere (komac version, fork state).

No secrets are printed — only HTTP statuses, scopes, and the login name.

Co-authored-by: Copilot App 223556219+Copilot@users.noreply.github.com

komac collapses every HTTP error on its package-existence check into
'<id> does not exist in microsoft/winget-pkgs', hiding the real cause.
The package demonstrably exists at the correct path/casing, so a masked
error there means the token is rejected. This preflight step runs the
same reads (REST /user, package contents, GraphQL viewer) with
WINGET_TOKEN and prints the true HTTP status, token scopes, and
authenticated user, failing fast with actionable guidance when the token
is invalid.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@michaeljolley michaeljolley merged commit 801280b into main Jul 5, 2026
2 checks passed
@michaeljolley michaeljolley deleted the michaeljolley-sturdy-chainsaw branch July 5, 2026 06:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant