feat(auth): wire mif-rs into the release app's consumers#46
Conversation
mif-rs needs a one-off admin action to set its GHCR package visibility to public (they default to private even for a public repo, which was blocking reusable-trivy.yml's image scan job. The release app already has packages:write, installed org-wide - it just wasn't wired up as a consumer from any mif-rs workflow yet. Adds mif-rs/.github/workflows/admin-set-package-visibility.yml to the release app's consumers list. EOF )
There was a problem hiding this comment.
Pull request overview
Updates the org GitHub App auth manifest to allow the release GitHub App to be used by mif-rs’s one-off admin workflow that sets GHCR package visibility, unblocking downstream consumers (e.g., Trivy image scanning) when images initially land as private.
Changes:
- Adds
mif-rs/.github/workflows/admin-set-package-visibility.ymlto thereleaseapp’sconsumerslist inauth/apps.json.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Closing this. The workflow this wired up ( |
Summary
Wires
mif-rsinto thereleaseapp's consumers.mif-rs's GHCR packages (mif-cli,mif-mcp) came up private on first push, even though the repo itself is public - that was blockingreusable-trivy.yml'simagejob (see #45), which needs to pull the image to scan it.The
releaseapp already haspackages: write, installed org-wide - it just had no consumer inmif-rsyet (unlike the other five repos already using it forrelease.yml).Change
Adds
mif-rs/.github/workflows/admin-set-package-visibility.ymlto thereleaseapp'sconsumerslist inauth/apps.json. That workflow (in themif-rsrepo, pushed separately) is aworkflow_dispatch-only one-off admin action - it mints areleaseapp token and sets both packages to public. Not part of the release pipeline; GHCR visibility persists once set, so this doesn't need to run per-release.Test plan
app-manifest-validate.yml's jq checks locally against the editedauth/apps.json- pass, 5 apps verifiedmif-rsworkflow once merged, confirm both packages reportpublic