From be405f8e2cb45d0cc8d56e3de1846641f324404a Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Mon, 2 Mar 2026 12:48:55 +0300 Subject: [PATCH 01/21] refactor: replace GH_TOKEN with GitHub App token in workflow --- .../build-citus-community-nightlies.yml | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml index c5695a01..76f617d9 100644 --- a/.github/workflows/build-citus-community-nightlies.yml +++ b/.github/workflows/build-citus-community-nightlies.yml @@ -6,7 +6,6 @@ env: PACKAGE_CLOUD_API_TOKEN: ${{ secrets.PACKAGE_CLOUD_API_TOKEN }} PACKAGING_PASSPHRASE: ${{ secrets.PACKAGING_PASSPHRASE }} PACKAGING_SECRET_KEY: ${{ secrets.PACKAGING_SECRET_KEY }} - GH_TOKEN: ${{ secrets.GH_TOKEN }} DOCKERHUB_USER_NAME: ${{ secrets.DOCKERHUB_USER_NAME }} DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} on: @@ -37,8 +36,29 @@ jobs: - ubuntu/noble steps: + + - name: Create GitHub App token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + + #- name: Export token to environment + # run: echo "GH_TOKEN=$ {{ steps.app.outputs.token }}" >> $GITHUB_ENV + # Makes it avaliable to the whole workflow without needing to pass it explicitly to each step. + # GH_TOKEN is a common name for GitHub tokens, and some tools might expect it to be named this way. + - name: Checkout repository uses: actions/checkout@v3 + with: + token: ${{ steps.app.outputs.token }} + + - name: Validate token + env: + GH_TOKEN: ${{ steps.app.outputs.token }} + run: gh repo view --json name -q .name # This step is to fetch the images unanonymously to have higher bandwidth - name: Login to Docker Hub @@ -60,6 +80,8 @@ jobs: run: python -m pip install -r tools/packaging_automation/requirements.txt - name: Build packages + env: + GH_TOKEN: ${{ steps.app.outputs.token }} run: | python -m tools.packaging_automation.citus_package \ --gh_token "${GH_TOKEN}" \ From 0710577832f5eb5d16b2f9d8f234cb7604f86aca Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Sat, 14 Mar 2026 19:47:00 +0300 Subject: [PATCH 02/21] refactor: replace GH_TOKEN with GitHub App token in workflows --- .../build-citus-community-nightlies.yml | 25 +++++++++---------- .github/workflows/build-package-test.yml | 12 ++++++++- .github/workflows/build-package.yml | 12 ++++++++- .github/workflows/build-pgazure-nightlies.yml | 15 ++++++++++- .github/workflows/image-health-check.yml | 13 ++++++++-- .github/workflows/update-pgxn-version.yml | 17 +++++++++++-- 6 files changed, 74 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml index 76f617d9..31ad92d3 100644 --- a/.github/workflows/build-citus-community-nightlies.yml +++ b/.github/workflows/build-citus-community-nightlies.yml @@ -24,6 +24,10 @@ jobs: build_package: name: Build package runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + strategy: fail-fast: false matrix: @@ -45,21 +49,12 @@ jobs: private-key: ${{ secrets.GH_APP_KEY }} owner: ${{ github.repository_owner }} - #- name: Export token to environment - # run: echo "GH_TOKEN=$ {{ steps.app.outputs.token }}" >> $GITHUB_ENV - # Makes it avaliable to the whole workflow without needing to pass it explicitly to each step. - # GH_TOKEN is a common name for GitHub tokens, and some tools might expect it to be named this way. - - name: Checkout repository uses: actions/checkout@v3 with: token: ${{ steps.app.outputs.token }} - - name: Validate token - env: - GH_TOKEN: ${{ steps.app.outputs.token }} - run: gh repo view --json name -q .name - + # This step is to fetch the images unanonymously to have higher bandwidth - name: Login to Docker Hub uses: docker/login-action@v2 @@ -67,11 +62,15 @@ jobs: username: ${{ secrets.DOCKERHUB_USER_NAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} - - name: Clone tools branch - run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools + - name: Clone tools repo for test + env: + GH_TOKEN: ${{ steps.app.outputs.token }} + run: git clone -b v0.8.35 --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools - name: Clone build branch - run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging + env: + GH_TOKEN: ${{ steps.app.outputs.token }} + run: git clone -b "${MAIN_BRANCH}" --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/packaging.git packaging - name: Install package dependencies run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources diff --git a/.github/workflows/build-package-test.yml b/.github/workflows/build-package-test.yml index e4032d50..9356068f 100644 --- a/.github/workflows/build-package-test.yml +++ b/.github/workflows/build-package-test.yml @@ -1,7 +1,6 @@ name: Build package for test images env: - GH_TOKEN: "${{ secrets.GH_TOKEN }}" PACKAGING_SECRET_KEY: "${{ secrets.PACKAGING_SECRET_KEY }}" PACKAGE_ENCRYPTION_KEY: "${{ secrets.PACKAGE_ENCRYPTION_KEY }}" PACKAGING_PASSPHRASE: "${{ secrets.PACKAGING_PASSPHRASE }}" @@ -57,8 +56,19 @@ jobs: - TARGET_PLATFORM: ubuntu,noble - TARGET_PLATFORM: pgxn steps: + + - name: Create GitHub App token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APPLICATION_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + - name: Checkout repository uses: actions/checkout@v2 + with: + token: ${{ steps.app.outputs.token }} - name: Install package dependencies run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index 2061778d..7b252f19 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -1,7 +1,6 @@ name: Build Package env: - GH_TOKEN: "${{ secrets.GH_TOKEN }}" PACKAGING_SECRET_KEY: "${{ secrets.PACKAGING_SECRET_KEY }}" PACKAGE_ENCRYPTION_KEY: "${{ secrets.PACKAGE_ENCRYPTION_KEY }}" PACKAGING_PASSPHRASE: "${{ secrets.PACKAGING_PASSPHRASE }}" @@ -57,8 +56,19 @@ jobs: - TARGET_PLATFORM: ubuntu,noble - TARGET_PLATFORM: pgxn steps: + - name: Create GitHub App token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APPLICATION_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + + - name: Checkout repository uses: actions/checkout@v2 + with: + token: ${{ steps.app.outputs.token }} - name: Install package dependencies run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources diff --git a/.github/workflows/build-pgazure-nightlies.yml b/.github/workflows/build-pgazure-nightlies.yml index 50eb6186..92490ae9 100644 --- a/.github/workflows/build-pgazure-nightlies.yml +++ b/.github/workflows/build-pgazure-nightlies.yml @@ -6,7 +6,6 @@ env: PACKAGE_CLOUD_API_TOKEN: ${{ secrets.PACKAGE_CLOUD_API_TOKEN }} PACKAGING_PASSPHRASE: ${{ secrets.PACKAGING_PASSPHRASE }} PACKAGING_SECRET_KEY: ${{ secrets.PACKAGING_SECRET_KEY }} - GH_TOKEN: ${{ secrets.GH_TOKEN }} DOCKERHUB_USER_NAME: ${{ secrets.DOCKERHUB_USER_NAME }} DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} on: @@ -38,8 +37,20 @@ jobs: - ubuntu/focal steps: + - name: Create GitHub App token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + - name: Checkout repository uses: actions/checkout@v2 + with: + token: ${{ steps.app.outputs.token }} + + # This step is to fetch the images unanonymously to have higher bandwidth - name: Login to Docker Hub @@ -61,6 +72,8 @@ jobs: run: python -m pip install -r tools/packaging_automation/requirements.txt - name: Build packages + env: + GH_TOKEN: ${{ steps.app.outputs.token }} run: | python -m tools.packaging_automation.citus_package \ --gh_token "${GH_TOKEN}" \ diff --git a/.github/workflows/image-health-check.yml b/.github/workflows/image-health-check.yml index ddbd0cea..f160211a 100644 --- a/.github/workflows/image-health-check.yml +++ b/.github/workflows/image-health-check.yml @@ -1,7 +1,6 @@ name: Image Health Check env: - GH_TOKEN: "${{ secrets.GH_TOKEN }}" PACKAGING_SECRET_KEY: "${{ secrets.PACKAGING_SECRET_KEY }}" PACKAGE_ENCRYPTION_KEY: "${{ secrets.PACKAGE_ENCRYPTION_KEY }}" PACKAGING_PASSPHRASE: "${{ secrets.PACKAGING_PASSPHRASE }}" @@ -27,8 +26,18 @@ jobs: name: Check if docker files are compliant with templates runs-on: ubuntu-latest steps: - - name: Checkout repository + - name: Create GitHub App token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APPLICATION_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + - name: Check out repository uses: actions/checkout@v2 + with: + token: ${{ steps.app.outputs.token }} + - name: Update and check dockerfiles run: | ./update_dockerfiles diff --git a/.github/workflows/update-pgxn-version.yml b/.github/workflows/update-pgxn-version.yml index 4699209f..61cd26d8 100644 --- a/.github/workflows/update-pgxn-version.yml +++ b/.github/workflows/update-pgxn-version.yml @@ -2,7 +2,6 @@ name: Update Version on PGXN Config Files env: PROJECT_VERSION: ${{ github.event.inputs.project_version }} - GH_TOKEN: ${{ secrets.GH_TOKEN }} on: workflow_dispatch: @@ -16,7 +15,19 @@ jobs: name: Update pgxn configuration runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + + - name: Create Github App Token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APPLICATION_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + + - name: Check out repository + uses: actions/checkout@v2 + with: + token: ${{ steps.app.outputs.token }} - name: Install dependencies run: sudo apt install libcurl4-openssl-dev libssl-dev @@ -28,6 +39,8 @@ jobs: run: python -m pip install -r tools/packaging_automation/requirements.txt - name: Update pgxn files + env: + GH_TOKEN: ${{ steps.app.outputs.token }} run: | python -m tools.packaging_automation.update_pgxn \ --prj_ver ${PROJECT_VERSION} \ From 79606b5a31da6b86f2104092ee83b0286f6b255b Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Sat, 14 Mar 2026 19:52:23 +0300 Subject: [PATCH 03/21] refactor: update GitHub App token variable name in workflows --- .github/workflows/build-package-test.yml | 2 +- .github/workflows/build-package.yml | 2 +- .github/workflows/image-health-check.yml | 4 +++- .github/workflows/update-pgxn-version.yml | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-package-test.yml b/.github/workflows/build-package-test.yml index 9356068f..26c6ba95 100644 --- a/.github/workflows/build-package-test.yml +++ b/.github/workflows/build-package-test.yml @@ -61,7 +61,7 @@ jobs: id: app uses: actions/create-github-app-token@v1 with: - app-id: ${{ vars.GH_APPLICATION_ID }} + app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: ${{ github.repository_owner }} diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index 7b252f19..6d5d2ab7 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -60,7 +60,7 @@ jobs: id: app uses: actions/create-github-app-token@v1 with: - app-id: ${{ vars.GH_APPLICATION_ID }} + app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: ${{ github.repository_owner }} diff --git a/.github/workflows/image-health-check.yml b/.github/workflows/image-health-check.yml index f160211a..2222ad68 100644 --- a/.github/workflows/image-health-check.yml +++ b/.github/workflows/image-health-check.yml @@ -26,13 +26,15 @@ jobs: name: Check if docker files are compliant with templates runs-on: ubuntu-latest steps: + - name: Create GitHub App token id: app uses: actions/create-github-app-token@v1 with: - app-id: ${{ vars.GH_APPLICATION_ID }} + app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: ${{ github.repository_owner }} + - name: Check out repository uses: actions/checkout@v2 with: diff --git a/.github/workflows/update-pgxn-version.yml b/.github/workflows/update-pgxn-version.yml index 61cd26d8..283d43e9 100644 --- a/.github/workflows/update-pgxn-version.yml +++ b/.github/workflows/update-pgxn-version.yml @@ -20,7 +20,7 @@ jobs: id: app uses: actions/create-github-app-token@v1 with: - app-id: ${{ vars.GH_APPLICATION_ID }} + app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: ${{ github.repository_owner }} From 237d179a70771de5e5cb3ea072d59ade6c5b2022 Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Sat, 14 Mar 2026 20:20:52 +0300 Subject: [PATCH 04/21] refactor: update GitHub App token usage for authentication in workflows --- .../build-citus-community-nightlies.yml | 2 ++ .github/workflows/build-package-test.yml | 13 ++++++++++++- .github/workflows/build-package.yml | 14 ++++++++++++-- .github/workflows/build-pgazure-nightlies.yml | 16 +++++++++++++--- .github/workflows/image-health-check.yml | 19 +++++++++++++++++-- .github/workflows/update-pgxn-version.yml | 10 +++++++++- 6 files changed, 65 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml index 31ad92d3..1a55350b 100644 --- a/.github/workflows/build-citus-community-nightlies.yml +++ b/.github/workflows/build-citus-community-nightlies.yml @@ -93,6 +93,8 @@ jobs: --is_test - name: Publish packages + env: + GH_TOKEN: ${{ steps.app.outputs.token }} run: | python -m tools.packaging_automation.upload_to_package_cloud \ --platform "${{ matrix.platform }}" \ diff --git a/.github/workflows/build-package-test.yml b/.github/workflows/build-package-test.yml index 26c6ba95..07d88cff 100644 --- a/.github/workflows/build-package-test.yml +++ b/.github/workflows/build-package-test.yml @@ -84,9 +84,18 @@ jobs: env: TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }} POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} + GH_TOKEN: ${{ steps.app.outputs.token }} + + - name: Setup git authentication for GitHub App + env: + GH_TOKEN: ${{ steps.app.outputs.token }} + run: | + git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" - name: Clone tools repo for test - run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools + env: + GH_TOKEN: ${{ steps.app.outputs.token }} + run: git clone -b v0.8.35 --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools - name: Execute packaging tests run: | @@ -94,6 +103,7 @@ jobs: python -m pytest -q tools/packaging_automation/tests/test_citus_package.py -k 'test_build_packages' env: PACKAGING_IMAGE_PLATFORM: "${{matrix.TARGET_PLATFORM}}" + GH_TOKEN: ${{ steps.app.outputs.token }} - name: Push images run: | @@ -102,3 +112,4 @@ jobs: env: TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }} POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} + GH_TOKEN: ${{ steps.app.outputs.token }} diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index 6d5d2ab7..18af47a4 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -63,7 +63,12 @@ jobs: app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: ${{ github.repository_owner }} - + + - name: Setup git authentication for GitHub App + env: + GH_TOKEN: ${{ steps.app.outputs.token }} + run: | + git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" - name: Checkout repository uses: actions/checkout@v2 @@ -84,9 +89,12 @@ jobs: env: TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }} POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} + GH_TOKEN: ${{ steps.app.outputs.token }} - name: Clone tools repo for test - run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools + env: + GH_TOKEN: ${{ steps.app.outputs.token }} + run: git clone -b v0.8.35 --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools - name: Execute packaging tests run: | @@ -94,6 +102,7 @@ jobs: python -m pytest -q tools/packaging_automation/tests/test_citus_package.py -k 'test_build_packages' env: PACKAGING_IMAGE_PLATFORM: "${{matrix.TARGET_PLATFORM}}" + GH_TOKEN: ${{ steps.app.outputs.token }} - name: Push images run: | @@ -102,3 +111,4 @@ jobs: env: TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }} POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} + GH_TOKEN: ${{ steps.app.outputs.token }} diff --git a/.github/workflows/build-pgazure-nightlies.yml b/.github/workflows/build-pgazure-nightlies.yml index 92490ae9..2dd06f40 100644 --- a/.github/workflows/build-pgazure-nightlies.yml +++ b/.github/workflows/build-pgazure-nightlies.yml @@ -50,7 +50,11 @@ jobs: with: token: ${{ steps.app.outputs.token }} - + - name: Setup git authentication for GitHub App + env: + GH_TOKEN: ${{ steps.app.outputs.token }} + run: | + git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" # This step is to fetch the images unanonymously to have higher bandwidth - name: Login to Docker Hub @@ -60,10 +64,14 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Clone tools branch - run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools + env: + GH_TOKEN: ${{ steps.app.outputs.token }} + run: git clone -b v0.8.35 --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools - name: Clone build branch - run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging + env: + GH_TOKEN: ${{ steps.app.outputs.token }} + run: git clone -b "${MAIN_BRANCH}" --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/packaging.git packaging - name: Install package dependencies run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources @@ -85,6 +93,8 @@ jobs: --input_files_dir "$(pwd)/packaging" - name: Publish packages + env: + GH_TOKEN: ${{ steps.app.outputs.token }} run: | python -m tools.packaging_automation.upload_to_package_cloud \ --platform "${{ matrix.platform }}" \ diff --git a/.github/workflows/image-health-check.yml b/.github/workflows/image-health-check.yml index 2222ad68..1f7044a7 100644 --- a/.github/workflows/image-health-check.yml +++ b/.github/workflows/image-health-check.yml @@ -26,7 +26,7 @@ jobs: name: Check if docker files are compliant with templates runs-on: ubuntu-latest steps: - + - name: Create GitHub App token id: app uses: actions/create-github-app-token@v1 @@ -70,8 +70,19 @@ jobs: - TARGET_PLATFORM: ubuntu,noble - TARGET_PLATFORM: pgxn steps: + + - name: Create GitHub App token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + - name: Checkout repository uses: actions/checkout@v2 + with: + token: ${{ steps.app.outputs.token }} - name: Install package dependencies run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources @@ -88,8 +99,11 @@ jobs: TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }} POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} + - name: Clone tools repo for test - run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools + env: + GH_TOKEN: ${{ steps.app.outputs.token }} + run: git clone -b v0.8.35 --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools - name: Execute packaging tests run: | @@ -97,4 +111,5 @@ jobs: python -m pytest -q tools/packaging_automation/tests/test_citus_package.py -k 'test_build_packages' env: PACKAGING_IMAGE_PLATFORM: "${{matrix.TARGET_PLATFORM}}" + GH_TOKEN: ${{ steps.app.outputs.token }} diff --git a/.github/workflows/update-pgxn-version.yml b/.github/workflows/update-pgxn-version.yml index 283d43e9..2dfb179f 100644 --- a/.github/workflows/update-pgxn-version.yml +++ b/.github/workflows/update-pgxn-version.yml @@ -29,11 +29,19 @@ jobs: with: token: ${{ steps.app.outputs.token }} + - name: Setup git authentication for GitHub App + env: + GH_TOKEN: ${{ steps.app.outputs.token }} + run: | + git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" + - name: Install dependencies run: sudo apt install libcurl4-openssl-dev libssl-dev - name: Clone Tools branch - run: git clone --branch v0.8.35 https://github.com/citusdata/tools.git + env: + GH_TOKEN: ${{ steps.app.outputs.token }} + run: git clone --branch v0.8.35 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git - name: Install Python requirements run: python -m pip install -r tools/packaging_automation/requirements.txt From a571e9b7675a1de47a6d9d589366289c9cbb736c Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Tue, 17 Mar 2026 16:27:49 +0300 Subject: [PATCH 05/21] refactor: update workflows and scripts to use GitHub App token for authentication --- .../build-citus-community-nightlies.yml | 25 ++++++++----------- .github/workflows/build-package-test.yml | 20 +++++++-------- .github/workflows/build-package.yml | 20 ++++++--------- .github/workflows/build-pgazure-nightlies.yml | 24 ++++++------------ .github/workflows/image-health-check.yml | 21 +++++++++++----- .github/workflows/update-pgxn-version.yml | 18 ++++++------- .../workflows/update_package_properties.yml | 20 +++++++++++++-- scripts/fetch_and_build_deb | 10 +++++++- scripts/fetch_and_build_pgxn | 10 +++++++- scripts/fetch_and_build_rpm | 10 +++++++- 10 files changed, 102 insertions(+), 76 deletions(-) diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml index 1a55350b..83342fd6 100644 --- a/.github/workflows/build-citus-community-nightlies.yml +++ b/.github/workflows/build-citus-community-nightlies.yml @@ -24,9 +24,6 @@ jobs: build_package: name: Build package runs-on: ubuntu-latest - permissions: - id-token: write - contents: read strategy: fail-fast: false @@ -48,12 +45,18 @@ jobs: app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: ${{ github.repository_owner }} - + + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v6 with: token: ${{ steps.app.outputs.token }} + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" + # This step is to fetch the images unanonymously to have higher bandwidth - name: Login to Docker Hub @@ -63,14 +66,10 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Clone tools repo for test - env: - GH_TOKEN: ${{ steps.app.outputs.token }} - run: git clone -b v0.8.35 --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools + run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools - name: Clone build branch - env: - GH_TOKEN: ${{ steps.app.outputs.token }} - run: git clone -b "${MAIN_BRANCH}" --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/packaging.git packaging + run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging - name: Install package dependencies run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources @@ -79,8 +78,6 @@ jobs: run: python -m pip install -r tools/packaging_automation/requirements.txt - name: Build packages - env: - GH_TOKEN: ${{ steps.app.outputs.token }} run: | python -m tools.packaging_automation.citus_package \ --gh_token "${GH_TOKEN}" \ @@ -93,8 +90,6 @@ jobs: --is_test - name: Publish packages - env: - GH_TOKEN: ${{ steps.app.outputs.token }} run: | python -m tools.packaging_automation.upload_to_package_cloud \ --platform "${{ matrix.platform }}" \ diff --git a/.github/workflows/build-package-test.yml b/.github/workflows/build-package-test.yml index 07d88cff..61ae7843 100644 --- a/.github/workflows/build-package-test.yml +++ b/.github/workflows/build-package-test.yml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 - name: Update and check dockerfiles run: | ./update_dockerfiles @@ -65,11 +65,17 @@ jobs: private-key: ${{ secrets.GH_APP_KEY }} owner: ${{ github.repository_owner }} + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 with: token: ${{ steps.app.outputs.token }} + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" + - name: Install package dependencies run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources @@ -84,18 +90,10 @@ jobs: env: TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }} POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - GH_TOKEN: ${{ steps.app.outputs.token }} - - name: Setup git authentication for GitHub App - env: - GH_TOKEN: ${{ steps.app.outputs.token }} - run: | - git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" - name: Clone tools repo for test - env: - GH_TOKEN: ${{ steps.app.outputs.token }} - run: git clone -b v0.8.35 --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools + run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools - name: Execute packaging tests run: | diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index 18af47a4..110f0129 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 - name: Update and check dockerfiles run: | ./update_dockerfiles @@ -64,17 +64,17 @@ jobs: private-key: ${{ secrets.GH_APP_KEY }} owner: ${{ github.repository_owner }} - - name: Setup git authentication for GitHub App - env: - GH_TOKEN: ${{ steps.app.outputs.token }} - run: | - git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 with: token: ${{ steps.app.outputs.token }} + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" + - name: Install package dependencies run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources @@ -89,12 +89,9 @@ jobs: env: TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }} POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - GH_TOKEN: ${{ steps.app.outputs.token }} - name: Clone tools repo for test - env: - GH_TOKEN: ${{ steps.app.outputs.token }} - run: git clone -b v0.8.35 --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools + run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools - name: Execute packaging tests run: | @@ -102,7 +99,6 @@ jobs: python -m pytest -q tools/packaging_automation/tests/test_citus_package.py -k 'test_build_packages' env: PACKAGING_IMAGE_PLATFORM: "${{matrix.TARGET_PLATFORM}}" - GH_TOKEN: ${{ steps.app.outputs.token }} - name: Push images run: | diff --git a/.github/workflows/build-pgazure-nightlies.yml b/.github/workflows/build-pgazure-nightlies.yml index 2dd06f40..d2bcd309 100644 --- a/.github/workflows/build-pgazure-nightlies.yml +++ b/.github/workflows/build-pgazure-nightlies.yml @@ -45,16 +45,16 @@ jobs: private-key: ${{ secrets.GH_APP_KEY }} owner: ${{ github.repository_owner }} + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 with: token: ${{ steps.app.outputs.token }} - - name: Setup git authentication for GitHub App - env: - GH_TOKEN: ${{ steps.app.outputs.token }} - run: | - git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" # This step is to fetch the images unanonymously to have higher bandwidth - name: Login to Docker Hub @@ -64,14 +64,10 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Clone tools branch - env: - GH_TOKEN: ${{ steps.app.outputs.token }} - run: git clone -b v0.8.35 --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools + run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools - name: Clone build branch - env: - GH_TOKEN: ${{ steps.app.outputs.token }} - run: git clone -b "${MAIN_BRANCH}" --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/packaging.git packaging + run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging - name: Install package dependencies run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources @@ -80,8 +76,6 @@ jobs: run: python -m pip install -r tools/packaging_automation/requirements.txt - name: Build packages - env: - GH_TOKEN: ${{ steps.app.outputs.token }} run: | python -m tools.packaging_automation.citus_package \ --gh_token "${GH_TOKEN}" \ @@ -93,8 +87,6 @@ jobs: --input_files_dir "$(pwd)/packaging" - name: Publish packages - env: - GH_TOKEN: ${{ steps.app.outputs.token }} run: | python -m tools.packaging_automation.upload_to_package_cloud \ --platform "${{ matrix.platform }}" \ diff --git a/.github/workflows/image-health-check.yml b/.github/workflows/image-health-check.yml index 1f7044a7..a308b720 100644 --- a/.github/workflows/image-health-check.yml +++ b/.github/workflows/image-health-check.yml @@ -35,11 +35,17 @@ jobs: private-key: ${{ secrets.GH_APP_KEY }} owner: ${{ github.repository_owner }} + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + - name: Check out repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 with: token: ${{ steps.app.outputs.token }} + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" + - name: Update and check dockerfiles run: | ./update_dockerfiles @@ -79,11 +85,17 @@ jobs: private-key: ${{ secrets.GH_APP_KEY }} owner: ${{ github.repository_owner }} + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 with: token: ${{ steps.app.outputs.token }} + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" + - name: Install package dependencies run: sudo apt-get update && sudo apt-get install libcurl4-openssl-dev libssl-dev python3-testresources @@ -101,9 +113,7 @@ jobs: - name: Clone tools repo for test - env: - GH_TOKEN: ${{ steps.app.outputs.token }} - run: git clone -b v0.8.35 --depth=1 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git tools + run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools - name: Execute packaging tests run: | @@ -111,5 +121,4 @@ jobs: python -m pytest -q tools/packaging_automation/tests/test_citus_package.py -k 'test_build_packages' env: PACKAGING_IMAGE_PLATFORM: "${{matrix.TARGET_PLATFORM}}" - GH_TOKEN: ${{ steps.app.outputs.token }} diff --git a/.github/workflows/update-pgxn-version.yml b/.github/workflows/update-pgxn-version.yml index 2dfb179f..4cf7df3a 100644 --- a/.github/workflows/update-pgxn-version.yml +++ b/.github/workflows/update-pgxn-version.yml @@ -24,31 +24,27 @@ jobs: private-key: ${{ secrets.GH_APP_KEY }} owner: ${{ github.repository_owner }} + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + - name: Check out repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 with: token: ${{ steps.app.outputs.token }} - - name: Setup git authentication for GitHub App - env: - GH_TOKEN: ${{ steps.app.outputs.token }} - run: | - git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" - name: Install dependencies run: sudo apt install libcurl4-openssl-dev libssl-dev - name: Clone Tools branch - env: - GH_TOKEN: ${{ steps.app.outputs.token }} - run: git clone --branch v0.8.35 https://x-access-token:${GH_TOKEN}@github.com/citusdata/tools.git + run: git clone --branch v0.8.35 https://github.com/citusdata/tools.git - name: Install Python requirements run: python -m pip install -r tools/packaging_automation/requirements.txt - name: Update pgxn files - env: - GH_TOKEN: ${{ steps.app.outputs.token }} run: | python -m tools.packaging_automation.update_pgxn \ --prj_ver ${PROJECT_VERSION} \ diff --git a/.github/workflows/update_package_properties.yml b/.github/workflows/update_package_properties.yml index 9644928c..7ea0e81a 100644 --- a/.github/workflows/update_package_properties.yml +++ b/.github/workflows/update_package_properties.yml @@ -18,8 +18,24 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - name: Create GitHub App token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + + - name: Checkout repository + uses: actions/checkout@v6 + with: + token: ${{ steps.app.outputs.token }} + + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" # Runs a single command using the runners shell - name: Clone Tools branch diff --git a/scripts/fetch_and_build_deb b/scripts/fetch_and_build_deb index 16bafc57..da992406 100755 --- a/scripts/fetch_and_build_deb +++ b/scripts/fetch_and_build_deb @@ -88,7 +88,15 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc +if [ -z "${GH_TOKEN:-}" ]; then + echo "$0: GH_TOKEN (GitHub App token) is required but not set" >&2 + exit 66 +fi + +echo "header=\"Authorization: Bearer ${GH_TOKEN}\"" > ~/.curlrc + +# ensuring GH_TOKEN usage for clones/fetches +git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" export NAME NAME=$(determine_name) diff --git a/scripts/fetch_and_build_pgxn b/scripts/fetch_and_build_pgxn index fd5f20a6..38924a73 100755 --- a/scripts/fetch_and_build_pgxn +++ b/scripts/fetch_and_build_pgxn @@ -50,7 +50,15 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc +if [ -z "${GH_TOKEN:-}" ]; then + echo "$0: GH_TOKEN (GitHub App token) is required but not set" >&2 + exit 66 +fi + +echo "header=\"Authorization: Bearer ${GH_TOKEN}\"" > ~/.curlrc + +# ensuring GH_TOKEN usage for clones/fetches +git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" cp -R /buildfiles/META.json "${builddir}" repopath="citusdata/${hubproj}" diff --git a/scripts/fetch_and_build_rpm b/scripts/fetch_and_build_rpm index 28e8285b..5e97f654 100755 --- a/scripts/fetch_and_build_rpm +++ b/scripts/fetch_and_build_rpm @@ -81,7 +81,15 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc +if [ -z "${GH_TOKEN:-}" ]; then + echo "$0: GH_TOKEN (GitHub App token) is required but not set" >&2 + exit 66 +fi + +echo "header=\"Authorization: Bearer ${GH_TOKEN}\"" > ~/.curlrc + +# ensuring GH_TOKEN usage for clones/fetches +git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" name=$(determine_name) email=$(determine_email) From b1a093414831e273c5eb746b600109c43b6d0f68 Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Mon, 6 Apr 2026 13:52:39 +0300 Subject: [PATCH 06/21] refactor: update build_packages to use GitHub App token for authentication --- build_packages | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/build_packages b/build_packages index 471cb208..9c862da3 100755 --- a/build_packages +++ b/build_packages @@ -17,6 +17,16 @@ fi project=$1 buildtype=$2 +if [ -z "${GH_TOKEN:-}" ]; then + echo "$0: GH_TOKEN (GitHub App token) is required but not set" >&2 + exit 66 +fi + +echo "header=\"Authorization: Bearer ${GH_TOKEN}\"" > ~/.curlrc + +# ensuring GH_TOKEN usage for clones/fetches +git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" + name=$(git config --get user.name) email=$(git config --get user.email) packager="${name} <${email}>" @@ -52,7 +62,7 @@ while read -r line; do continue fi args+="run --rm -v ${outputdir}:/packages -v ${buildfilesdir}/deb:/buildfiles:ro " - args+="-e GITHUB_TOKEN=${GITHUB_TOKEN} -e DEBFULLNAME='${name}' -e DEBEMAIL='${email}' " + args+="-e GH_TOKEN=${GH_TOKEN} -e DEBFULLNAME='${name}' -e DEBEMAIL='${email}' " args+="citusdata/packaging:${os}-${release}-all $buildtype\n" elif [[ "${os}" = 'centos' ]] || [[ "${os}" = 'fedora' ]] || [[ "${os}" = 'oraclelinux' ]]; then # shellcheck source=/dev/null @@ -78,13 +88,13 @@ while read -r line; do fi pgshort=${pgversion//./} args+="run --rm -v ${outputdir}:/packages -v ${buildfilesdir}/rpm:/buildfiles:ro " - args+="-e GITHUB_TOKEN=${GITHUB_TOKEN} -e RPM_PACKAGER='${packager}' " + args+="-e GH_TOKEN=${GH_TOKEN} -e RPM_PACKAGER='${packager}' " args+="citusdata/packaging:${os}-${release}-pg${pgshort} $buildtype\n" done elif [[ "${os}" = 'pgxn' ]]; then if [[ "${project}" = 'citus' ]] && [[ "${buildtype}" = 'release' ]]; then args+="run --rm -v ${outputdir}:/packages -v ${buildfilesdir}/pgxn:/buildfiles:ro " - args+="-e GITHUB_TOKEN=${GITHUB_TOKEN} citusdata/packaging:${os}-all $buildtype\n" + args+="-e GH_TOKEN=${GH_TOKEN} citusdata/packaging:${os}-all $buildtype\n" else echo "skipping PGXN... unsupported for this build" >&2 fi From 954e80f0a6b35d4b4aa2935ab1e930a8d6468b2f Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Mon, 6 Apr 2026 14:29:35 +0300 Subject: [PATCH 07/21] testing with refactored branch --- .github/workflows/build-pgazure-nightlies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-pgazure-nightlies.yml b/.github/workflows/build-pgazure-nightlies.yml index d2bcd309..59256a1e 100644 --- a/.github/workflows/build-pgazure-nightlies.yml +++ b/.github/workflows/build-pgazure-nightlies.yml @@ -64,7 +64,7 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Clone tools branch - run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b brk-test --depth=1 https://github.com/citusdata/tools.git tools - name: Clone build branch run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging From 9af51bf8931953921a8517c400672e4bd7256b48 Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Mon, 6 Apr 2026 14:55:16 +0300 Subject: [PATCH 08/21] testing with updated tools branch --- .github/workflows/build-citus-community-nightlies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml index 83342fd6..84a435ce 100644 --- a/.github/workflows/build-citus-community-nightlies.yml +++ b/.github/workflows/build-citus-community-nightlies.yml @@ -66,7 +66,7 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Clone tools repo for test - run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b brk-test --depth=1 https://github.com/citusdata/tools.git tools - name: Clone build branch run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging From 7c2b12010596ac600eb25fdc74fbf26afcb3a305 Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Mon, 6 Apr 2026 19:02:17 +0300 Subject: [PATCH 09/21] refactor: update scripts --- scripts/fetch_and_build_deb | 17 +++++++++++------ scripts/fetch_and_build_pgxn | 17 +++++++++++------ scripts/fetch_and_build_rpm | 17 +++++++++++------ 3 files changed, 33 insertions(+), 18 deletions(-) diff --git a/scripts/fetch_and_build_deb b/scripts/fetch_and_build_deb index da992406..81be608c 100755 --- a/scripts/fetch_and_build_deb +++ b/scripts/fetch_and_build_deb @@ -88,15 +88,20 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -if [ -z "${GH_TOKEN:-}" ]; then - echo "$0: GH_TOKEN (GitHub App token) is required but not set" >&2 - exit 66 +# normalize token name (accept GH_TOKEN from CI) and fail fast — we only use installation tokens +if [ -n "${GH_TOKEN:-}" ] && [ -z "${GITHUB_TOKEN:-}" ]; then + export GITHUB_TOKEN="${GH_TOKEN}" fi -echo "header=\"Authorization: Bearer ${GH_TOKEN}\"" > ~/.curlrc +if [ -z "${GITHUB_TOKEN:-}" ]; then + echo "$0: error: GITHUB_TOKEN (installation token) is required" >&2 + exit $noinput +fi -# ensuring GH_TOKEN usage for clones/fetches -git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" +# use installation token for curl and git; keep token file permission-restricted +printf 'header="Authorization: token %s"\n' "${GITHUB_TOKEN}" > ~/.curlrc +chmod 600 ~/.curlrc +git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" export NAME NAME=$(determine_name) diff --git a/scripts/fetch_and_build_pgxn b/scripts/fetch_and_build_pgxn index 38924a73..a5a30726 100755 --- a/scripts/fetch_and_build_pgxn +++ b/scripts/fetch_and_build_pgxn @@ -50,15 +50,20 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -if [ -z "${GH_TOKEN:-}" ]; then - echo "$0: GH_TOKEN (GitHub App token) is required but not set" >&2 - exit 66 +# normalize token name (accept GH_TOKEN from CI) and fail fast — we only use installation tokens +if [ -n "${GH_TOKEN:-}" ] && [ -z "${GITHUB_TOKEN:-}" ]; then + export GITHUB_TOKEN="${GH_TOKEN}" fi -echo "header=\"Authorization: Bearer ${GH_TOKEN}\"" > ~/.curlrc +if [ -z "${GITHUB_TOKEN:-}" ]; then + echo "$0: error: GITHUB_TOKEN (installation token) is required" >&2 + exit $noinput +fi -# ensuring GH_TOKEN usage for clones/fetches -git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" +# use installation token for curl and git; keep token file permission-restricted +printf 'header="Authorization: token %s"\n' "${GITHUB_TOKEN}" > ~/.curlrc +chmod 600 ~/.curlrc +git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" cp -R /buildfiles/META.json "${builddir}" repopath="citusdata/${hubproj}" diff --git a/scripts/fetch_and_build_rpm b/scripts/fetch_and_build_rpm index 5e97f654..046ef265 100755 --- a/scripts/fetch_and_build_rpm +++ b/scripts/fetch_and_build_rpm @@ -81,15 +81,20 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -if [ -z "${GH_TOKEN:-}" ]; then - echo "$0: GH_TOKEN (GitHub App token) is required but not set" >&2 - exit 66 +# normalize token name (accept GH_TOKEN from CI) and fail fast — we only use installation tokens +if [ -n "${GH_TOKEN:-}" ] && [ -z "${GITHUB_TOKEN:-}" ]; then + export GITHUB_TOKEN="${GH_TOKEN}" fi -echo "header=\"Authorization: Bearer ${GH_TOKEN}\"" > ~/.curlrc +if [ -z "${GITHUB_TOKEN:-}" ]; then + echo "$0: error: GITHUB_TOKEN (installation token) is required" >&2 + exit $noinput +fi -# ensuring GH_TOKEN usage for clones/fetches -git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" +# use installation token for curl and git; keep token file permission-restricted +printf 'header="Authorization: token %s"\n' "${GITHUB_TOKEN}" > ~/.curlrc +chmod 600 ~/.curlrc +git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" name=$(determine_name) email=$(determine_email) From a112df9543c4a3f42c74201361c1860e1422e876 Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Fri, 17 Apr 2026 10:05:20 +0300 Subject: [PATCH 10/21] Revert Changes --- .github/workflows/build-package-test.yml | 4 +--- .github/workflows/build-package.yml | 1 - .github/workflows/image-health-check.yml | 17 ----------------- .github/workflows/update_package_properties.yml | 15 --------------- build_packages | 16 ++++------------ scripts/fetch_and_build_deb | 14 +------------- scripts/fetch_and_build_pgxn | 14 +------------- scripts/fetch_and_build_rpm | 14 +------------- 8 files changed, 8 insertions(+), 87 deletions(-) diff --git a/.github/workflows/build-package-test.yml b/.github/workflows/build-package-test.yml index 61ae7843..09dcca56 100644 --- a/.github/workflows/build-package-test.yml +++ b/.github/workflows/build-package-test.yml @@ -101,7 +101,6 @@ jobs: python -m pytest -q tools/packaging_automation/tests/test_citus_package.py -k 'test_build_packages' env: PACKAGING_IMAGE_PLATFORM: "${{matrix.TARGET_PLATFORM}}" - GH_TOKEN: ${{ steps.app.outputs.token }} - name: Push images run: | @@ -109,5 +108,4 @@ jobs: ./ci/push_images env: TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }} - POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - GH_TOKEN: ${{ steps.app.outputs.token }} + POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} \ No newline at end of file diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index 110f0129..92e0911a 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -107,4 +107,3 @@ jobs: env: TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }} POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - GH_TOKEN: ${{ steps.app.outputs.token }} diff --git a/.github/workflows/image-health-check.yml b/.github/workflows/image-health-check.yml index a308b720..ac88d2e5 100644 --- a/.github/workflows/image-health-check.yml +++ b/.github/workflows/image-health-check.yml @@ -27,24 +27,8 @@ jobs: runs-on: ubuntu-latest steps: - - name: Create GitHub App token - id: app - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ vars.GH_APP_ID }} - private-key: ${{ secrets.GH_APP_KEY }} - owner: ${{ github.repository_owner }} - - - name: Set GH_TOKEN for all steps - run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV - - name: Check out repository uses: actions/checkout@v6 - with: - token: ${{ steps.app.outputs.token }} - - - name: Configure git with x-access-token - run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" - name: Update and check dockerfiles run: | @@ -111,7 +95,6 @@ jobs: TARGET_PLATFORM: ${{ matrix.TARGET_PLATFORM }} POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - - name: Clone tools repo for test run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools diff --git a/.github/workflows/update_package_properties.yml b/.github/workflows/update_package_properties.yml index 7ea0e81a..32e38d55 100644 --- a/.github/workflows/update_package_properties.yml +++ b/.github/workflows/update_package_properties.yml @@ -18,24 +18,9 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - - name: Create GitHub App token - id: app - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ vars.GH_APP_ID }} - private-key: ${{ secrets.GH_APP_KEY }} - owner: ${{ github.repository_owner }} - - - name: Set GH_TOKEN for all steps - run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@v6 - with: - token: ${{ steps.app.outputs.token }} - - - name: Configure git with x-access-token - run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" # Runs a single command using the runners shell - name: Clone Tools branch diff --git a/build_packages b/build_packages index 9c862da3..9c054b80 100755 --- a/build_packages +++ b/build_packages @@ -17,15 +17,7 @@ fi project=$1 buildtype=$2 -if [ -z "${GH_TOKEN:-}" ]; then - echo "$0: GH_TOKEN (GitHub App token) is required but not set" >&2 - exit 66 -fi - -echo "header=\"Authorization: Bearer ${GH_TOKEN}\"" > ~/.curlrc - -# ensuring GH_TOKEN usage for clones/fetches -git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/" +git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" name=$(git config --get user.name) email=$(git config --get user.email) @@ -62,7 +54,7 @@ while read -r line; do continue fi args+="run --rm -v ${outputdir}:/packages -v ${buildfilesdir}/deb:/buildfiles:ro " - args+="-e GH_TOKEN=${GH_TOKEN} -e DEBFULLNAME='${name}' -e DEBEMAIL='${email}' " + args+="-e GITHUB_TOKEN=${GITHUB_TOKEN} -e DEBFULLNAME='${name}' -e DEBEMAIL='${email}' " args+="citusdata/packaging:${os}-${release}-all $buildtype\n" elif [[ "${os}" = 'centos' ]] || [[ "${os}" = 'fedora' ]] || [[ "${os}" = 'oraclelinux' ]]; then # shellcheck source=/dev/null @@ -88,13 +80,13 @@ while read -r line; do fi pgshort=${pgversion//./} args+="run --rm -v ${outputdir}:/packages -v ${buildfilesdir}/rpm:/buildfiles:ro " - args+="-e GH_TOKEN=${GH_TOKEN} -e RPM_PACKAGER='${packager}' " + args+="-e GITHUB_TOKEN=${GITHUB_TOKEN} -e RPM_PACKAGER='${packager}' " args+="citusdata/packaging:${os}-${release}-pg${pgshort} $buildtype\n" done elif [[ "${os}" = 'pgxn' ]]; then if [[ "${project}" = 'citus' ]] && [[ "${buildtype}" = 'release' ]]; then args+="run --rm -v ${outputdir}:/packages -v ${buildfilesdir}/pgxn:/buildfiles:ro " - args+="-e GH_TOKEN=${GH_TOKEN} citusdata/packaging:${os}-all $buildtype\n" + args+="-e GITHUB_TOKEN=${GITHUB_TOKEN} citusdata/packaging:${os}-all $buildtype\n" else echo "skipping PGXN... unsupported for this build" >&2 fi diff --git a/scripts/fetch_and_build_deb b/scripts/fetch_and_build_deb index 81be608c..b1f371f6 100755 --- a/scripts/fetch_and_build_deb +++ b/scripts/fetch_and_build_deb @@ -88,19 +88,7 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -# normalize token name (accept GH_TOKEN from CI) and fail fast — we only use installation tokens -if [ -n "${GH_TOKEN:-}" ] && [ -z "${GITHUB_TOKEN:-}" ]; then - export GITHUB_TOKEN="${GH_TOKEN}" -fi - -if [ -z "${GITHUB_TOKEN:-}" ]; then - echo "$0: error: GITHUB_TOKEN (installation token) is required" >&2 - exit $noinput -fi - -# use installation token for curl and git; keep token file permission-restricted -printf 'header="Authorization: token %s"\n' "${GITHUB_TOKEN}" > ~/.curlrc -chmod 600 ~/.curlrc +echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" export NAME diff --git a/scripts/fetch_and_build_pgxn b/scripts/fetch_and_build_pgxn index a5a30726..a9932569 100755 --- a/scripts/fetch_and_build_pgxn +++ b/scripts/fetch_and_build_pgxn @@ -50,19 +50,7 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -# normalize token name (accept GH_TOKEN from CI) and fail fast — we only use installation tokens -if [ -n "${GH_TOKEN:-}" ] && [ -z "${GITHUB_TOKEN:-}" ]; then - export GITHUB_TOKEN="${GH_TOKEN}" -fi - -if [ -z "${GITHUB_TOKEN:-}" ]; then - echo "$0: error: GITHUB_TOKEN (installation token) is required" >&2 - exit $noinput -fi - -# use installation token for curl and git; keep token file permission-restricted -printf 'header="Authorization: token %s"\n' "${GITHUB_TOKEN}" > ~/.curlrc -chmod 600 ~/.curlrc +echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" cp -R /buildfiles/META.json "${builddir}" diff --git a/scripts/fetch_and_build_rpm b/scripts/fetch_and_build_rpm index 046ef265..7fc6afae 100755 --- a/scripts/fetch_and_build_rpm +++ b/scripts/fetch_and_build_rpm @@ -81,19 +81,7 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -# normalize token name (accept GH_TOKEN from CI) and fail fast — we only use installation tokens -if [ -n "${GH_TOKEN:-}" ] && [ -z "${GITHUB_TOKEN:-}" ]; then - export GITHUB_TOKEN="${GH_TOKEN}" -fi - -if [ -z "${GITHUB_TOKEN:-}" ]; then - echo "$0: error: GITHUB_TOKEN (installation token) is required" >&2 - exit $noinput -fi - -# use installation token for curl and git; keep token file permission-restricted -printf 'header="Authorization: token %s"\n' "${GITHUB_TOKEN}" > ~/.curlrc -chmod 600 ~/.curlrc +echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" name=$(determine_name) From 59f119b1d75b08bba2a81192b59b5afefe50a90f Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Fri, 17 Apr 2026 11:28:12 +0300 Subject: [PATCH 11/21] Checking token format --- scripts/fetch_and_build_deb | 9 ++++++++- scripts/fetch_and_build_pgxn | 2 +- scripts/fetch_and_build_rpm | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/scripts/fetch_and_build_deb b/scripts/fetch_and_build_deb index b1f371f6..472e3d46 100755 --- a/scripts/fetch_and_build_deb +++ b/scripts/fetch_and_build_deb @@ -88,7 +88,14 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc +if [[ "$GITHUB_TOKEN" == ..* ]]; then + echo "TOKEN FORMAT: appears to be a JWT (app-level token)." +else + echo "TOKEN FORMAT: not a JWT (installation token or PAT)." +fi + + +echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" export NAME diff --git a/scripts/fetch_and_build_pgxn b/scripts/fetch_and_build_pgxn index a9932569..17fecc13 100755 --- a/scripts/fetch_and_build_pgxn +++ b/scripts/fetch_and_build_pgxn @@ -50,7 +50,7 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc +echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" cp -R /buildfiles/META.json "${builddir}" diff --git a/scripts/fetch_and_build_rpm b/scripts/fetch_and_build_rpm index 7fc6afae..9979c609 100755 --- a/scripts/fetch_and_build_rpm +++ b/scripts/fetch_and_build_rpm @@ -81,7 +81,7 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc +echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" name=$(determine_name) From a697215b93d4ce05a339f079fdc08f9a31838d92 Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Tue, 21 Apr 2026 15:20:49 +0300 Subject: [PATCH 12/21] update authorization header format to use Bearer token --- scripts/fetch_and_build_deb | 9 +-------- scripts/fetch_and_build_pgxn | 2 +- scripts/fetch_and_build_rpm | 2 +- 3 files changed, 3 insertions(+), 10 deletions(-) diff --git a/scripts/fetch_and_build_deb b/scripts/fetch_and_build_deb index 472e3d46..b1f371f6 100755 --- a/scripts/fetch_and_build_deb +++ b/scripts/fetch_and_build_deb @@ -88,14 +88,7 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -if [[ "$GITHUB_TOKEN" == ..* ]]; then - echo "TOKEN FORMAT: appears to be a JWT (app-level token)." -else - echo "TOKEN FORMAT: not a JWT (installation token or PAT)." -fi - - -echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc +echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" export NAME diff --git a/scripts/fetch_and_build_pgxn b/scripts/fetch_and_build_pgxn index 17fecc13..a9932569 100755 --- a/scripts/fetch_and_build_pgxn +++ b/scripts/fetch_and_build_pgxn @@ -50,7 +50,7 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc +echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" cp -R /buildfiles/META.json "${builddir}" diff --git a/scripts/fetch_and_build_rpm b/scripts/fetch_and_build_rpm index 9979c609..7fc6afae 100755 --- a/scripts/fetch_and_build_rpm +++ b/scripts/fetch_and_build_rpm @@ -81,7 +81,7 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc +echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" name=$(determine_name) From 659838ce38a424b50d93bcd0502ad5fb2cb718af Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Tue, 21 Apr 2026 17:43:52 +0300 Subject: [PATCH 13/21] finding gitmodules --- scripts/fetch_and_build_deb | 5 ++++- scripts/fetch_and_build_pgxn | 2 +- scripts/fetch_and_build_rpm | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/scripts/fetch_and_build_deb b/scripts/fetch_and_build_deb index b1f371f6..c6595e3b 100755 --- a/scripts/fetch_and_build_deb +++ b/scripts/fetch_and_build_deb @@ -88,7 +88,7 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc +echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" export NAME @@ -162,6 +162,9 @@ curl -sL "https://api.github.com/repos/${repopath}/tarball/${gitsha}" \ mkdir -p "${packagepath}" tar xf "${tarballpath}" -C "${packagepath}" --strip-components 1 +echo "DEBUG: .gitmodules present?"; ls -la "${packagepath}/.gitmodules" || true +echo "DEBUG: first 50 lines of .gitmodules:"; sed -n '1,50p' "${packagepath}/.gitmodules" || true + # git metadata needs to be setup to initialize submodules # in repos which rely on git submodules if [[ -f "${packagepath}/.gitmodules" ]]; then diff --git a/scripts/fetch_and_build_pgxn b/scripts/fetch_and_build_pgxn index a9932569..17fecc13 100755 --- a/scripts/fetch_and_build_pgxn +++ b/scripts/fetch_and_build_pgxn @@ -50,7 +50,7 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc +echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" cp -R /buildfiles/META.json "${builddir}" diff --git a/scripts/fetch_and_build_rpm b/scripts/fetch_and_build_rpm index 7fc6afae..9979c609 100755 --- a/scripts/fetch_and_build_rpm +++ b/scripts/fetch_and_build_rpm @@ -81,7 +81,7 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc +echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" name=$(determine_name) From c30c52b389e4534563e76b14bf3f028352cac6cc Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Wed, 22 Apr 2026 20:31:49 +0300 Subject: [PATCH 14/21] feat: add debug logging for GITHUB_TOKEN and commit verification --- scripts/fetch_and_build_deb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/scripts/fetch_and_build_deb b/scripts/fetch_and_build_deb index c6595e3b..704a91b3 100755 --- a/scripts/fetch_and_build_deb +++ b/scripts/fetch_and_build_deb @@ -100,6 +100,11 @@ EMAIL=$(determine_email) cp -R /buildfiles/debian "${builddir}" repopath="citusdata/${hubproj}" +echo "DEBUG: GITHUB_TOKEN length: ${#GITHUB_TOKEN}" +curl -s -o /dev/null -w "DEBUG: commits endpoint HTTP=%{http_code}\n" \ + -H "Authorization: token ${GITHUB_TOKEN}" \ + "https://api.github.com/repos/${repopath}/commits/${nightlyref}" + case "${1}" in release) packageversion=${pkglatest%-*} @@ -113,11 +118,10 @@ case "${1}" in exit $failure fi - verified=$(curl -sH 'Accept:application/vnd.github.cryptographer-preview+sha' \ - "https://api.github.com/repos/${repopath}/git/tags/${gitsha}" | \ - jq -r '.verification.verified') + verified=$(curl -s "https://api.github.com/repos/${repopath}/releases/tags/${releasetag}" | \ + jq -r '.verify_tag // false') if [ "${verified}" != 'true' ]; then - echo "$0: could not verify signature for git tag ${releasetag}" >&2 + echo "$0: could not verify release for tag ${releasetag}" >&2 exit $failure fi From 3a4cfe54d37f32c3ab8ea9a5f97b45340219b0b5 Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Wed, 22 Apr 2026 20:45:58 +0300 Subject: [PATCH 15/21] update GitHub API request to be compatible with app token --- scripts/fetch_and_build_deb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/fetch_and_build_deb b/scripts/fetch_and_build_deb index 704a91b3..647b02cb 100755 --- a/scripts/fetch_and_build_deb +++ b/scripts/fetch_and_build_deb @@ -139,8 +139,9 @@ case "${1}" in setnextversion "${pkglatest}" set +e - gitsha=$(curl -sfH 'Accept:application/vnd.github.v3.sha' \ - "https://api.github.com/repos/${repopath}/commits/${ref}") + gitsha=$(curl -sfH 'Accept:application/vnd.github+json' \ + "https://api.github.com/repos/${repopath}/commits/${ref}" | \ + jq -r '.sha') if [ "${?}" -ne 0 ]; then echo "$0: could not determine commit for git ref ${ref}" >&2 exit $failure From 4459c2d8e930f2749f609bb81a98726bfaa5da50 Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Wed, 22 Apr 2026 20:51:51 +0300 Subject: [PATCH 16/21] change token type after changes --- scripts/fetch_and_build_deb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/fetch_and_build_deb b/scripts/fetch_and_build_deb index 647b02cb..9c6148b2 100755 --- a/scripts/fetch_and_build_deb +++ b/scripts/fetch_and_build_deb @@ -88,7 +88,7 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -echo "header=\"Authorization: token ${GITHUB_TOKEN}\"" > ~/.curlrc +echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" export NAME From 38200a6686ee52d221a538d25c1e794bad9e31f3 Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Wed, 22 Apr 2026 21:08:59 +0300 Subject: [PATCH 17/21] update GitHub API requests --- scripts/fetch_and_build_deb | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/scripts/fetch_and_build_deb b/scripts/fetch_and_build_deb index 9c6148b2..99a2f04f 100755 --- a/scripts/fetch_and_build_deb +++ b/scripts/fetch_and_build_deb @@ -88,7 +88,7 @@ if [ -z "${pkglatest}" ]; then exit $noinput fi -echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc +# echo "header=\"Authorization: Bearer ${GITHUB_TOKEN}\"" > ~/.curlrc not used currently git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" export NAME @@ -102,7 +102,9 @@ repopath="citusdata/${hubproj}" echo "DEBUG: GITHUB_TOKEN length: ${#GITHUB_TOKEN}" curl -s -o /dev/null -w "DEBUG: commits endpoint HTTP=%{http_code}\n" \ - -H "Authorization: token ${GITHUB_TOKEN}" \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ "https://api.github.com/repos/${repopath}/commits/${nightlyref}" case "${1}" in @@ -111,15 +113,23 @@ case "${1}" in releasetag="v${packageversion/'~'/-}" releasetag="${releasetag%.citus}" - gitsha=$(curl -s "https://api.github.com/repos/${repopath}/git/refs/tags/${releasetag}" | \ + gitsha=$(curl -sf \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/${repopath}/git/refs/tags/${releasetag}" | \ jq -r '.object.sha') if [ "${gitsha}" == 'null' ]; then echo "$0: could not determine commit for git tag ${releasetag}" >&2 exit $failure fi - verified=$(curl -s "https://api.github.com/repos/${repopath}/releases/tags/${releasetag}" | \ - jq -r '.verify_tag // false') + verified=$(curl -sf \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/${repopath}/releases/tags/${releasetag}" | \ + jq -r '.verify_tag // false') if [ "${verified}" != 'true' ]; then echo "$0: could not verify release for tag ${releasetag}" >&2 exit $failure @@ -139,7 +149,10 @@ case "${1}" in setnextversion "${pkglatest}" set +e - gitsha=$(curl -sfH 'Accept:application/vnd.github+json' \ + gitsha=$(curl -sf \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ "https://api.github.com/repos/${repopath}/commits/${ref}" | \ jq -r '.sha') if [ "${?}" -ne 0 ]; then @@ -161,8 +174,12 @@ esac tarballpath="${builddir}/${pkgname}_${packageversion}.orig.tar.gz" packagepath="${builddir}/${packageversion}" -curl -sL "https://api.github.com/repos/${repopath}/tarball/${gitsha}" \ - -o "${tarballpath}" +curl -sfL \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/${repopath}/tarball/${gitsha}" \ + -o "${tarballpath}" mkdir -p "${packagepath}" tar xf "${tarballpath}" -C "${packagepath}" --strip-components 1 From 8a691159c0f74e346c48fcbfec659cf1cc386db7 Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Wed, 22 Apr 2026 21:20:43 +0300 Subject: [PATCH 18/21] add debug logging --- scripts/fetch_and_build_deb | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/fetch_and_build_deb b/scripts/fetch_and_build_deb index 99a2f04f..c785292b 100755 --- a/scripts/fetch_and_build_deb +++ b/scripts/fetch_and_build_deb @@ -230,6 +230,7 @@ case "${1}" in esac +echo "DEBUG: running pg_buildext updatecontrol in $(pwd)" >&2 pg_buildext updatecontrol procs="$(nproc)" From 3ebd59407412b747cdf83ba9ee4c3d5ffbc1ba38 Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Tue, 12 May 2026 16:28:28 +0300 Subject: [PATCH 19/21] refactor: update GitHub token handling in workflows and scripts --- .../build-citus-community-nightlies.yml | 18 ++++++++- scripts/determine_email | 37 +++++++++---------- scripts/determine_name | 22 ++++++----- 3 files changed, 47 insertions(+), 30 deletions(-) diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml index 9c2a20d4..2b2fe490 100644 --- a/.github/workflows/build-citus-community-nightlies.yml +++ b/.github/workflows/build-citus-community-nightlies.yml @@ -6,7 +6,6 @@ env: PACKAGE_CLOUD_API_TOKEN: ${{ secrets.PACKAGE_CLOUD_API_TOKEN }} PACKAGING_PASSPHRASE: ${{ secrets.PACKAGING_PASSPHRASE }} PACKAGING_SECRET_KEY: ${{ secrets.PACKAGING_SECRET_KEY }} - GH_TOKEN: ${{ secrets.GH_TOKEN }} DOCKERHUB_USER_NAME: ${{ secrets.DOCKERHUB_USER_NAME }} DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} on: @@ -37,8 +36,25 @@ jobs: - ubuntu/noble steps: + + - name: Create GitHub App token + id: app + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: ${{ github.repository_owner }} + + - name: Set GH_TOKEN for all steps + run: echo "GH_TOKEN=${{ steps.app.outputs.token }}" >> $GITHUB_ENV + - name: Checkout repository uses: actions/checkout@v6 + with: + token: ${{ steps.app.outputs.token }} + + - name: Configure git with x-access-token + run: git config --global url."https://x-access-token:${{ steps.app.outputs.token }}@github.com/".insteadOf "https://github.com/" # This step is to fetch the images unanonymously to have higher bandwidth - name: Login to Docker Hub diff --git a/scripts/determine_email b/scripts/determine_email index 899677b3..fc8d575e 100755 --- a/scripts/determine_email +++ b/scripts/determine_email @@ -1,29 +1,28 @@ #!/bin/bash - -# make bash behave set -uo pipefail IFS=$'\n\t' -# constants -success=0 -failure=1 - -# fallback to public email -email=$(curl -sf https://api.github.com/user | jq -r '.email // empty') +success=0; failure=1 +email="" -# first try to find Microsoft email, if fails, then it must be the -# case that bots@citusdata.com is building nightly packages for us -jqfilter='map(select(.verified and (.email | test("@microsoft.com$|^bots@citusdata.com$")))) | first | .email // empty' -citusemail=$(curl -sf https://api.github.com/user/emails | jq -r "${jqfilter}") +if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_ACTOR:-}" ]; then + # GET /users/{username} works with App tokens (public endpoint) + user_json=$(curl -sf \ + -H "Authorization: ******" \ + "https://api.github.com/users/${GITHUB_ACTOR}") -if [ -n "${citusemail}" ]; then - email="${citusemail}" -fi + # Use public profile email if set + email=$(echo "${user_json}" | jq -r '.email // empty') -if [ -z "${email}" ]; then - echo "$0: could not determine email" >&2 - exit $failure + # Otherwise build the canonical GitHub noreply address from id+login + if [ -z "${email}" ]; then + actor_id=$(echo "${user_json}" | jq -r '.id // empty') + if [ -n "${actor_id}" ]; then + email="${actor_id}+${GITHUB_ACTOR}@users.noreply.github.com" + fi + fi fi +[ -z "${email}" ] && { echo "$0: could not determine email" >&2; exit $failure; } echo "${email}" -exit $success +exit $success \ No newline at end of file diff --git a/scripts/determine_name b/scripts/determine_name index 5879f8f6..12cc8e97 100755 --- a/scripts/determine_name +++ b/scripts/determine_name @@ -1,19 +1,21 @@ #!/bin/bash - -# make bash behave set -euo pipefail IFS=$'\n\t' -# constants -success=0 -failure=1 +success=0; failure=1 +fullname="" -fullname=$(curl -sf https://api.github.com/user | jq -r '.name // empty') +if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_ACTOR:-}" ]; then + fullname=$(curl -sf \ + -H "Authorization: ******" \ + "https://api.github.com/users/${GITHUB_ACTOR}" | jq -r '.name // empty') +fi -if [ -z "${fullname}" ]; then - echo "$0: could not determine user name" >&2 - exit $failure +# Last resort: actor login itself +if [ -z "${fullname}" ] && [ -n "${GITHUB_ACTOR:-}" ]; then + fullname="${GITHUB_ACTOR}" fi +[ -z "${fullname}" ] && { echo "$0: could not determine user name" >&2; exit $failure; } echo "${fullname}" -exit $success +exit $success \ No newline at end of file From a33ee0d064167e12e7649670f0a5a76e06555a1b Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Thu, 14 May 2026 20:10:49 +0300 Subject: [PATCH 20/21] fix: update tools branch to use brk-test for cloning --- .github/workflows/build-citus-community-nightlies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml index 2b2fe490..bed5f98f 100644 --- a/.github/workflows/build-citus-community-nightlies.yml +++ b/.github/workflows/build-citus-community-nightlies.yml @@ -64,7 +64,7 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Clone tools branch - run: git clone -b v0.8.35 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b brk-test --depth=1 https://github.com/citusdata/tools.git tools - name: Clone build branch run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging From f72da8185924b1a5011b5b71936777c3b67dbcb0 Mon Sep 17 00:00:00 2001 From: BarkinKctp Date: Fri, 15 May 2026 12:57:00 +0300 Subject: [PATCH 21/21] refactor: streamline email and name determination logic in scripts --- scripts/determine_email | 31 ++++++++++++++++++++----------- scripts/determine_name | 17 ++++++++++------- 2 files changed, 30 insertions(+), 18 deletions(-) diff --git a/scripts/determine_email b/scripts/determine_email index fc8d575e..8171eeb6 100755 --- a/scripts/determine_email +++ b/scripts/determine_email @@ -5,20 +5,29 @@ IFS=$'\n\t' success=0; failure=1 email="" -if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_ACTOR:-}" ]; then - # GET /users/{username} works with App tokens (public endpoint) +# Primary: Build noreply address from workflow context (always available, no API call) +if [ -n "${GITHUB_ACTOR_ID:-}" ] && [ -n "${GITHUB_ACTOR:-}" ]; then + email="${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com" +elif [ -n "${GITHUB_ACTOR:-}" ]; then + # Fallback if no ACTOR_ID: use actor login alone + email="${GITHUB_ACTOR}@users.noreply.github.com" +fi + +# Last resort: Try API if workflow context missing (shouldn't happen) +if [ -z "${email}" ] && [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_ACTOR:-}" ]; then user_json=$(curl -sf \ - -H "Authorization: ******" \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ "https://api.github.com/users/${GITHUB_ACTOR}") - # Use public profile email if set - email=$(echo "${user_json}" | jq -r '.email // empty') - - # Otherwise build the canonical GitHub noreply address from id+login - if [ -z "${email}" ]; then - actor_id=$(echo "${user_json}" | jq -r '.id // empty') - if [ -n "${actor_id}" ]; then - email="${actor_id}+${GITHUB_ACTOR}@users.noreply.github.com" + if [ -n "${user_json}" ]; then + # Try public profile email first + email=$(echo "${user_json}" | jq -r '.email // empty') + # If no public email, build noreply from API response + if [ -z "${email}" ]; then + actor_id=$(echo "${user_json}" | jq -r '.id // empty') + if [ -n "${actor_id}" ]; then + email="${actor_id}+${GITHUB_ACTOR}@users.noreply.github.com" + fi fi fi fi diff --git a/scripts/determine_name b/scripts/determine_name index 12cc8e97..daf25f0a 100755 --- a/scripts/determine_name +++ b/scripts/determine_name @@ -5,15 +5,18 @@ IFS=$'\n\t' success=0; failure=1 fullname="" -if [ -n "${GITHUB_TOKEN:-}" ] && [ -n "${GITHUB_ACTOR:-}" ]; then - fullname=$(curl -sf \ - -H "Authorization: ******" \ - "https://api.github.com/users/${GITHUB_ACTOR}" | jq -r '.name // empty') +# Primary: Use GITHUB_ACTOR directly (always available in GitHub Actions) +if [ -n "${GITHUB_ACTOR:-}" ]; then + fullname="${GITHUB_ACTOR}" fi -# Last resort: actor login itself -if [ -z "${fullname}" ] && [ -n "${GITHUB_ACTOR:-}" ]; then - fullname="${GITHUB_ACTOR}" +# Fallback: Try API if GITHUB_ACTOR somehow unavailable (edge case) +if [ -z "${fullname}" ] && [ -n "${GITHUB_TOKEN:-}" ]; then + # This shouldn't happen in normal Actions, but keep for safety + actor="${GITHUB_ACTOR:-unknown}" + fullname=$(curl -sf \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + "https://api.github.com/users/${actor}" | jq -r '.name // empty') || true fi [ -z "${fullname}" ] && { echo "$0: could not determine user name" >&2; exit $failure; }