Skip to content

feat(auth): wire mif-rs into the release app's consumers#46

Closed
zircote wants to merge 1 commit into
mainfrom
feat/mif-rs-release-app-consumer
Closed

feat(auth): wire mif-rs into the release app's consumers#46
zircote wants to merge 1 commit into
mainfrom
feat/mif-rs-release-app-consumer

Conversation

@zircote

@zircote zircote commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Wires mif-rs into the release app's consumers. mif-rs's GHCR packages (mif-cli, mif-mcp) came up private on first push, even though the repo itself is public - that was blocking reusable-trivy.yml's image job (see #45), which needs to pull the image to scan it.

The release app already has packages: write, installed org-wide - it just had no consumer in mif-rs yet (unlike the other five repos already using it for release.yml).

Change

Adds mif-rs/.github/workflows/admin-set-package-visibility.yml to the release app's consumers list in auth/apps.json. That workflow (in the mif-rs repo, pushed separately) is a workflow_dispatch-only one-off admin action - it mints a release app token and sets both packages to public. Not part of the release pipeline; GHCR visibility persists once set, so this doesn't need to run per-release.

Test plan

  • Ran app-manifest-validate.yml's jq checks locally against the edited auth/apps.json - pass, 5 apps verified
  • Dispatch the new mif-rs workflow once merged, confirm both packages report public

mif-rs needs a one-off admin action to set its GHCR package
visibility to public (they default to private even for a public
repo, which was blocking reusable-trivy.yml's image scan job.
The release app already has packages:write, installed org-wide -
it just wasn't wired up as a consumer from any mif-rs workflow yet.

Adds mif-rs/.github/workflows/admin-set-package-visibility.yml to
the release app's consumers list.
EOF
)
Copilot AI review requested due to automatic review settings July 2, 2026 22:59

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the org GitHub App auth manifest to allow the release GitHub App to be used by mif-rs’s one-off admin workflow that sets GHCR package visibility, unblocking downstream consumers (e.g., Trivy image scanning) when images initially land as private.

Changes:

  • Adds mif-rs/.github/workflows/admin-set-package-visibility.yml to the release app’s consumers list in auth/apps.json.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zircote

zircote commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Closing this. The workflow this wired up (mif-rs/.github/workflows/admin-set-package-visibility.yml) assumed a PATCH endpoint for changing GHCR package visibility that turns out not to exist anywhere in GitHub's REST API - confirmed against the actual Packages API docs (GET/DELETE/POST-restore only, for any auth type including App tokens). Both the earlier PAT attempt and this App-token attempt 404'd for that reason, not a scope problem. I removed the workflow from mif-rs since it can never work; package visibility can only be changed through the web UI.

@zircote zircote closed this Jul 2, 2026
@zircote zircote deleted the feat/mif-rs-release-app-consumer branch July 2, 2026 23:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants