From abfdb230d1fdff306cac3cdfd6f8b237f307afdc Mon Sep 17 00:00:00 2001 From: Ibrahim Halatci Date: Fri, 19 Jun 2026 13:49:55 +0300 Subject: [PATCH 1/7] Phase 2: migrate workflows to GitHub App token + pin tools v0.8.36-dev3 Mint a GitHub App token (actions/create-github-app-token@v3) per job and export it to GH_TOKEN + GITHUB_TOKEN via \, overriding the workflow-level token for subsequent steps. Workflow-level secrets.GH_TOKEN refs are kept live (removed only in Phase 6). Bump tools pin v0.8.36-dev2 -> v0.8.36-dev3 in the 5 signing/publish/health workflows. docker/login-action already at @v4. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../workflows/build-citus-community-nightlies.yml | 15 ++++++++++++++- .github/workflows/build-package-test.yml | 15 ++++++++++++++- .github/workflows/build-package.yml | 15 ++++++++++++++- .github/workflows/build-pgazure-nightlies.yml | 15 ++++++++++++++- .github/workflows/image-health-check.yml | 15 ++++++++++++++- .github/workflows/update-pgxn-version.yml | 13 +++++++++++++ 6 files changed, 83 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml index 39757b48..626cb1df 100644 --- a/.github/workflows/build-citus-community-nightlies.yml +++ b/.github/workflows/build-citus-community-nightlies.yml @@ -40,6 +40,19 @@ jobs: - name: Checkout repository uses: actions/checkout@v6 + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: citusdata + + - name: Export App token to environment + run: | + echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + echo "GITHUB_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + # This step is to fetch the images unanonymously to have higher bandwidth - name: Login to Docker Hub uses: docker/login-action@v4 @@ -48,7 +61,7 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Clone tools branch - run: git clone -b v0.8.36-dev2 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b v0.8.36-dev3 --depth=1 https://github.com/citusdata/tools.git tools - name: Clone build branch run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging diff --git a/.github/workflows/build-package-test.yml b/.github/workflows/build-package-test.yml index dd8393b8..1ef6a588 100644 --- a/.github/workflows/build-package-test.yml +++ b/.github/workflows/build-package-test.yml @@ -60,6 +60,19 @@ jobs: - name: Checkout repository uses: actions/checkout@v6 + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: citusdata + + - name: Export App token to environment + run: | + echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + echo "GITHUB_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + - name: Install package dependencies run: | sudo apt-get update @@ -78,7 +91,7 @@ jobs: POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - name: Clone tools repo for test - run: git clone -b v0.8.36-dev2 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b v0.8.36-dev3 --depth=1 https://github.com/citusdata/tools.git tools - name: Execute packaging tests run: | diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index d4c67b2c..84e9a4ec 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -60,6 +60,19 @@ jobs: - name: Checkout repository uses: actions/checkout@v6 + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: citusdata + + - name: Export App token to environment + run: | + echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + echo "GITHUB_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + - name: Install package dependencies run: | sudo apt-get update @@ -78,7 +91,7 @@ jobs: POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - name: Clone tools repo for test - run: git clone -b v0.8.36-dev2 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b v0.8.36-dev3 --depth=1 https://github.com/citusdata/tools.git tools - name: Execute packaging tests run: | diff --git a/.github/workflows/build-pgazure-nightlies.yml b/.github/workflows/build-pgazure-nightlies.yml index 6239e874..0da969c5 100644 --- a/.github/workflows/build-pgazure-nightlies.yml +++ b/.github/workflows/build-pgazure-nightlies.yml @@ -41,6 +41,19 @@ jobs: - name: Checkout repository uses: actions/checkout@v6 + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: citusdata + + - name: Export App token to environment + run: | + echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + echo "GITHUB_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + # This step is to fetch the images unanonymously to have higher bandwidth - name: Login to Docker Hub uses: docker/login-action@v4 @@ -49,7 +62,7 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Clone tools branch - run: git clone -b v0.8.36-dev2 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b v0.8.36-dev3 --depth=1 https://github.com/citusdata/tools.git tools - name: Clone build branch run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging diff --git a/.github/workflows/image-health-check.yml b/.github/workflows/image-health-check.yml index 073dee1e..52c7b9e3 100644 --- a/.github/workflows/image-health-check.yml +++ b/.github/workflows/image-health-check.yml @@ -62,6 +62,19 @@ jobs: - name: Checkout repository uses: actions/checkout@v6 + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: citusdata + + - name: Export App token to environment + run: | + echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + echo "GITHUB_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + - name: Install package dependencies run: | sudo apt-get update @@ -80,7 +93,7 @@ jobs: POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - name: Clone tools repo for test - run: git clone -b v0.8.36-dev2 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b v0.8.36-dev3 --depth=1 https://github.com/citusdata/tools.git tools - name: Execute packaging tests run: | diff --git a/.github/workflows/update-pgxn-version.yml b/.github/workflows/update-pgxn-version.yml index b285ab45..7ff60d69 100644 --- a/.github/workflows/update-pgxn-version.yml +++ b/.github/workflows/update-pgxn-version.yml @@ -18,6 +18,19 @@ jobs: steps: - uses: actions/checkout@v6 + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_KEY }} + owner: citusdata + + - name: Export App token to environment + run: | + echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + echo "GITHUB_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + - name: Install dependencies run: | sudo apt-get update From 92be2293e820e95864948f59a3b88916cf2acee6 Mon Sep 17 00:00:00 2001 From: Ibrahim Halatci Date: Fri, 19 Jun 2026 15:24:16 +0300 Subject: [PATCH 2/7] Phase 2: pin remaining tools clones to v0.8.36-dev3 Fold the two leftover v0.8.35 tools clones (update-pgxn-version.yml, update_package_properties.yml) into the Phase 2 dev3 pin so all tools references are consistent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/update-pgxn-version.yml | 2 +- .github/workflows/update_package_properties.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-pgxn-version.yml b/.github/workflows/update-pgxn-version.yml index 7ff60d69..1bd88732 100644 --- a/.github/workflows/update-pgxn-version.yml +++ b/.github/workflows/update-pgxn-version.yml @@ -37,7 +37,7 @@ jobs: sudo apt-get install -y libcurl4-openssl-dev libssl-dev - name: Clone Tools branch - run: git clone --branch v0.8.35 https://github.com/citusdata/tools.git + run: git clone --branch v0.8.36-dev3 https://github.com/citusdata/tools.git - name: Install Python requirements run: python -m pip install -r tools/packaging_automation/requirements.txt diff --git a/.github/workflows/update_package_properties.yml b/.github/workflows/update_package_properties.yml index f08c98a2..a08f04e5 100644 --- a/.github/workflows/update_package_properties.yml +++ b/.github/workflows/update_package_properties.yml @@ -23,7 +23,7 @@ jobs: # Runs a single command using the runners shell - name: Clone Tools branch - run: git clone --depth 1 --branch v0.8.35 https://github.com/citusdata/tools.git + run: git clone --depth 1 --branch v0.8.36-dev3 https://github.com/citusdata/tools.git # Runs a set of commands using the runners shell - name: Execute Package Properties Update From 16a83d6beb44031db171fe5d2317a288d429213e Mon Sep 17 00:00:00 2001 From: Citus Bot Date: Fri, 19 Jun 2026 16:07:34 +0300 Subject: [PATCH 3/7] Phase 2a: drop /user from determine_name/determine_email (R1 App-token fix) GitHub App installation tokens have no /user endpoint and return 403, which aborted the build container at the identity assignment with empty output. Resolve packager identity env-first (PACKAGER_NAME/PACKAGER_EMAIL, RPM_PACKAGER, DEBFULLNAME/DEBEMAIL) with a fixed 'Citus Bot ' fallback so the all-platforms test path greens without identity env. ~/.curlrc writes are retained (reused for App-safe /repos + tarball source fetch). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- scripts/determine_email | 27 ++++++++++++++++----------- scripts/determine_name | 23 +++++++++++++++++------ 2 files changed, 33 insertions(+), 17 deletions(-) diff --git a/scripts/determine_email b/scripts/determine_email index 899677b3..26d92f84 100755 --- a/scripts/determine_email +++ b/scripts/determine_email @@ -6,23 +6,28 @@ IFS=$'\n\t' # constants success=0 -failure=1 -# fallback to public email -email=$(curl -sf https://api.github.com/user | jq -r '.email // empty') +# Resolve the packager email WITHOUT contacting api.github.com/user or +# /user/emails, which are incompatible with GitHub App installation tokens (the +# App identity has no user endpoint and returns 403). Precedence: explicit env, +# then the address embedded in RPM_PACKAGER, then a fixed bot identity. +email="${PACKAGER_EMAIL:-}" -# first try to find Microsoft email, if fails, then it must be the -# case that bots@citusdata.com is building nightly packages for us -jqfilter='map(select(.verified and (.email | test("@microsoft.com$|^bots@citusdata.com$")))) | first | .email // empty' -citusemail=$(curl -sf https://api.github.com/user/emails | jq -r "${jqfilter}") +if [ -z "${email}" ]; then + email="${DEBEMAIL:-}" +fi -if [ -n "${citusemail}" ]; then - email="${citusemail}" +if [ -z "${email}" ] && [ -n "${RPM_PACKAGER:-}" ]; then + # Extract the address from "Full Name " if present. + case "${RPM_PACKAGER}" in + *"<"*">"*) + email="$(printf '%s' "${RPM_PACKAGER}" | sed -E 's/^.*<([^>]*)>.*$/\1/')" + ;; + esac fi if [ -z "${email}" ]; then - echo "$0: could not determine email" >&2 - exit $failure + email="bots@citusdata.com" fi echo "${email}" diff --git a/scripts/determine_name b/scripts/determine_name index 5879f8f6..ed828ea7 100755 --- a/scripts/determine_name +++ b/scripts/determine_name @@ -6,14 +6,25 @@ IFS=$'\n\t' # constants success=0 -failure=1 -fullname=$(curl -sf https://api.github.com/user | jq -r '.name // empty') +# Resolve the packager name WITHOUT contacting api.github.com/user, which is +# incompatible with GitHub App installation tokens (the App identity has no user +# endpoint and returns 403). Precedence: explicit env, then the name portion of +# RPM_PACKAGER, then DEBFULLNAME, then a fixed bot identity. +name="${PACKAGER_NAME:-}" -if [ -z "${fullname}" ]; then - echo "$0: could not determine user name" >&2 - exit $failure +if [ -z "${name}" ] && [ -n "${RPM_PACKAGER:-}" ]; then + # RPM_PACKAGER is typically "Full Name "; drop the address. + name="$(printf '%s' "${RPM_PACKAGER}" | sed -E 's/[[:space:]]*<[^>]*>[[:space:]]*$//')" fi -echo "${fullname}" +if [ -z "${name}" ]; then + name="${DEBFULLNAME:-}" +fi + +if [ -z "${name}" ]; then + name="Citus Bot" +fi + +echo "${name}" exit $success From 05f555787fbe6b5f3ef1abc06a9b3d1f6a8371c7 Mon Sep 17 00:00:00 2001 From: Ibrahim Halatci Date: Fri, 19 Jun 2026 17:30:28 +0300 Subject: [PATCH 4/7] Phase 2a: pass POSTGRES_VERSION to packaging tests + pin tools v0.8.36-dev4 Roll-forward fix for the rpm reds: pass the matrix leg's POSTGRES_VERSION into the 'Execute packaging tests' env so dev4's test_build_packages builds+tests ONLY the leg's own locally-built, R1-fixed image instead of iterating all pg versions and docker-pulling stale sibling images (which 403 on /user under the App token). deb/pgxn include-legs leave POSTGRES_VERSION empty -> None -> all/[all], no regression. Re-pins the pytest tools-clone dev3->dev4 in the 3 build/test workflows. Token mints (@v3), docker/login (@v4), the determine_name/determine_email R1 fix, and the dev3 pins in the 4 nightly/write workflows are untouched. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/build-package-test.yml | 3 ++- .github/workflows/build-package.yml | 3 ++- .github/workflows/image-health-check.yml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-package-test.yml b/.github/workflows/build-package-test.yml index 1ef6a588..4159536b 100644 --- a/.github/workflows/build-package-test.yml +++ b/.github/workflows/build-package-test.yml @@ -91,7 +91,7 @@ jobs: POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - name: Clone tools repo for test - run: git clone -b v0.8.36-dev3 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b v0.8.36-dev4 --depth=1 https://github.com/citusdata/tools.git tools - name: Execute packaging tests run: | @@ -99,6 +99,7 @@ jobs: python -m pytest -q tools/packaging_automation/tests/test_citus_package.py -k 'test_build_packages' env: PACKAGING_IMAGE_PLATFORM: "${{matrix.TARGET_PLATFORM}}" + POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - name: Push images run: | diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index 84e9a4ec..35cdd2eb 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -91,7 +91,7 @@ jobs: POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - name: Clone tools repo for test - run: git clone -b v0.8.36-dev3 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b v0.8.36-dev4 --depth=1 https://github.com/citusdata/tools.git tools - name: Execute packaging tests run: | @@ -99,6 +99,7 @@ jobs: python -m pytest -q tools/packaging_automation/tests/test_citus_package.py -k 'test_build_packages' env: PACKAGING_IMAGE_PLATFORM: "${{matrix.TARGET_PLATFORM}}" + POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - name: Push images run: | diff --git a/.github/workflows/image-health-check.yml b/.github/workflows/image-health-check.yml index 52c7b9e3..b6b5f76b 100644 --- a/.github/workflows/image-health-check.yml +++ b/.github/workflows/image-health-check.yml @@ -93,7 +93,7 @@ jobs: POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - name: Clone tools repo for test - run: git clone -b v0.8.36-dev3 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b v0.8.36-dev4 --depth=1 https://github.com/citusdata/tools.git tools - name: Execute packaging tests run: | @@ -101,4 +101,5 @@ jobs: python -m pytest -q tools/packaging_automation/tests/test_citus_package.py -k 'test_build_packages' env: PACKAGING_IMAGE_PLATFORM: "${{matrix.TARGET_PLATFORM}}" + POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} From cd6d03b156803e6a11a6f944c481646fc48da7b5 Mon Sep 17 00:00:00 2001 From: Ibrahim Halatci Date: Fri, 19 Jun 2026 18:31:26 +0300 Subject: [PATCH 5/7] Phase 2a: re-pin pytest tools-clone v0.8.36-dev4 -> v0.8.36-dev5 dev5 fixes the two remaining rpm test-harness bugs surfaced by dev4: (1) the build-count assertion now expects 1xcount when POSTGRES_VERSION is set, and (2) pytest.skip when the leg's matrix pg version is not in the distro's release set (so pg14/pg18 legs skip the test but still run push_images to reseed their update_image-built base images). POSTGRES_VERSION env (added previously) stays as-is. Token mints (@v3), docker/login (@v4), the R1 determine_name/determine_email fix, and the dev3 pins in the 4 nightly/write workflows are untouched. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/build-package-test.yml | 2 +- .github/workflows/build-package.yml | 2 +- .github/workflows/image-health-check.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-package-test.yml b/.github/workflows/build-package-test.yml index 4159536b..e257053b 100644 --- a/.github/workflows/build-package-test.yml +++ b/.github/workflows/build-package-test.yml @@ -91,7 +91,7 @@ jobs: POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - name: Clone tools repo for test - run: git clone -b v0.8.36-dev4 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b v0.8.36-dev5 --depth=1 https://github.com/citusdata/tools.git tools - name: Execute packaging tests run: | diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index 35cdd2eb..25f56a8f 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -91,7 +91,7 @@ jobs: POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - name: Clone tools repo for test - run: git clone -b v0.8.36-dev4 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b v0.8.36-dev5 --depth=1 https://github.com/citusdata/tools.git tools - name: Execute packaging tests run: | diff --git a/.github/workflows/image-health-check.yml b/.github/workflows/image-health-check.yml index b6b5f76b..2ad27907 100644 --- a/.github/workflows/image-health-check.yml +++ b/.github/workflows/image-health-check.yml @@ -93,7 +93,7 @@ jobs: POSTGRES_VERSION: ${{ matrix.POSTGRES_VERSION }} - name: Clone tools repo for test - run: git clone -b v0.8.36-dev4 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b v0.8.36-dev5 --depth=1 https://github.com/citusdata/tools.git tools - name: Execute packaging tests run: | From d03fd870cecc99542541918fc04543e4c030313b Mon Sep 17 00:00:00 2001 From: Ibrahim Halatci Date: Fri, 19 Jun 2026 23:01:43 +0300 Subject: [PATCH 6/7] Phase 2a: unify all workflow tools-clones to v0.8.36-dev5 Bump the 4 nightly/write workflows (build-citus-community-nightlies, build-pgazure-nightlies, update-pgxn-version, update_package_properties) from v0.8.36-dev3 to v0.8.36-dev5 so every workflow in the repo pins the same tools tag. dev3..dev5 changes only packaging_automation/citus_package.py (new optional postgres_version arg, default None -> identical iteration when unset) and tests/test_citus_package.py (pytest-only). Neither nightly passes postgres_version, and update-*/update_package_properties do not invoke citus_package.py, so behavior is unchanged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/build-citus-community-nightlies.yml | 2 +- .github/workflows/build-pgazure-nightlies.yml | 2 +- .github/workflows/update-pgxn-version.yml | 2 +- .github/workflows/update_package_properties.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml index 626cb1df..a8026880 100644 --- a/.github/workflows/build-citus-community-nightlies.yml +++ b/.github/workflows/build-citus-community-nightlies.yml @@ -61,7 +61,7 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Clone tools branch - run: git clone -b v0.8.36-dev3 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b v0.8.36-dev5 --depth=1 https://github.com/citusdata/tools.git tools - name: Clone build branch run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging diff --git a/.github/workflows/build-pgazure-nightlies.yml b/.github/workflows/build-pgazure-nightlies.yml index 0da969c5..fda668c3 100644 --- a/.github/workflows/build-pgazure-nightlies.yml +++ b/.github/workflows/build-pgazure-nightlies.yml @@ -62,7 +62,7 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Clone tools branch - run: git clone -b v0.8.36-dev3 --depth=1 https://github.com/citusdata/tools.git tools + run: git clone -b v0.8.36-dev5 --depth=1 https://github.com/citusdata/tools.git tools - name: Clone build branch run: git clone -b "${MAIN_BRANCH}" --depth=1 https://github.com/citusdata/packaging.git packaging diff --git a/.github/workflows/update-pgxn-version.yml b/.github/workflows/update-pgxn-version.yml index 1bd88732..57966691 100644 --- a/.github/workflows/update-pgxn-version.yml +++ b/.github/workflows/update-pgxn-version.yml @@ -37,7 +37,7 @@ jobs: sudo apt-get install -y libcurl4-openssl-dev libssl-dev - name: Clone Tools branch - run: git clone --branch v0.8.36-dev3 https://github.com/citusdata/tools.git + run: git clone --branch v0.8.36-dev5 https://github.com/citusdata/tools.git - name: Install Python requirements run: python -m pip install -r tools/packaging_automation/requirements.txt diff --git a/.github/workflows/update_package_properties.yml b/.github/workflows/update_package_properties.yml index a08f04e5..cb80566b 100644 --- a/.github/workflows/update_package_properties.yml +++ b/.github/workflows/update_package_properties.yml @@ -23,7 +23,7 @@ jobs: # Runs a single command using the runners shell - name: Clone Tools branch - run: git clone --depth 1 --branch v0.8.36-dev3 https://github.com/citusdata/tools.git + run: git clone --depth 1 --branch v0.8.36-dev5 https://github.com/citusdata/tools.git # Runs a set of commands using the runners shell - name: Execute Package Properties Update From ae12aad140844085e6e11c2faf5d5f21b32bb15e Mon Sep 17 00:00:00 2001 From: Ibrahim Halatci Date: Fri, 19 Jun 2026 23:03:39 +0300 Subject: [PATCH 7/7] ci: use org variable for app-id, drop secrets fallback GH_APP_ID is an org variable, not a secret. Simplify the create-github-app-token app-id input from vars.GH_APP_ID || secrets.GH_APP_ID to just vars.GH_APP_ID across all 6 token mints. private-key stays secrets.GH_APP_KEY (a real secret). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/build-citus-community-nightlies.yml | 2 +- .github/workflows/build-package-test.yml | 2 +- .github/workflows/build-package.yml | 2 +- .github/workflows/build-pgazure-nightlies.yml | 2 +- .github/workflows/image-health-check.yml | 2 +- .github/workflows/update-pgxn-version.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-citus-community-nightlies.yml b/.github/workflows/build-citus-community-nightlies.yml index a8026880..d9447a7b 100644 --- a/.github/workflows/build-citus-community-nightlies.yml +++ b/.github/workflows/build-citus-community-nightlies.yml @@ -44,7 +44,7 @@ jobs: id: app-token uses: actions/create-github-app-token@v3 with: - app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} + app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: citusdata diff --git a/.github/workflows/build-package-test.yml b/.github/workflows/build-package-test.yml index e257053b..afd65fe6 100644 --- a/.github/workflows/build-package-test.yml +++ b/.github/workflows/build-package-test.yml @@ -64,7 +64,7 @@ jobs: id: app-token uses: actions/create-github-app-token@v3 with: - app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} + app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: citusdata diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index 25f56a8f..fbb88354 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -64,7 +64,7 @@ jobs: id: app-token uses: actions/create-github-app-token@v3 with: - app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} + app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: citusdata diff --git a/.github/workflows/build-pgazure-nightlies.yml b/.github/workflows/build-pgazure-nightlies.yml index fda668c3..6a534837 100644 --- a/.github/workflows/build-pgazure-nightlies.yml +++ b/.github/workflows/build-pgazure-nightlies.yml @@ -45,7 +45,7 @@ jobs: id: app-token uses: actions/create-github-app-token@v3 with: - app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} + app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: citusdata diff --git a/.github/workflows/image-health-check.yml b/.github/workflows/image-health-check.yml index 2ad27907..216e3b9c 100644 --- a/.github/workflows/image-health-check.yml +++ b/.github/workflows/image-health-check.yml @@ -66,7 +66,7 @@ jobs: id: app-token uses: actions/create-github-app-token@v3 with: - app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} + app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: citusdata diff --git a/.github/workflows/update-pgxn-version.yml b/.github/workflows/update-pgxn-version.yml index 57966691..1e5ce600 100644 --- a/.github/workflows/update-pgxn-version.yml +++ b/.github/workflows/update-pgxn-version.yml @@ -22,7 +22,7 @@ jobs: id: app-token uses: actions/create-github-app-token@v3 with: - app-id: ${{ vars.GH_APP_ID || secrets.GH_APP_ID }} + app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_KEY }} owner: citusdata