fix(ci): add pre-flight token validation and fix permissions block in squad-mark-released#271
Merged
Conversation
Contributor
🏗️ PR Added to Squad Triage QueueThis PR has been labeled with Next steps:
|
There was a problem hiding this comment.
Pull request overview
This PR fixes the failing squad-mark-released GitHub Actions workflow by ensuring it uses a properly configured Projects-capable token and fails early when the required secret is missing, and it documents the operational learning in Boromir’s history.
Changes:
- Added a pre-flight step to validate
GH_PROJECT_TOKENis configured before attempting ProjectV2 GraphQL operations. - Adjusted workflow permissions and added top-of-file documentation about the required token/scope.
- Updated
.squad/agents/boromir/history.mdwith the root cause and remediation notes for Issue #268.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
.github/workflows/squad-mark-released.yml |
Adds token preflight validation + updates permissions/commentary + changes actions/github-script version. |
.squad/agents/boromir/history.md |
Records the incident, root cause, and what was changed for Issue #268. |
|
|
||
| - name: Move Done → Released on project board | ||
| uses: actions/github-script@v9 | ||
| uses: actions/github-script@v7 |
Comment on lines
+8
to
+11
| # NOTE: The default GITHUB_TOKEN cannot access GitHub Projects V2 via GraphQL. | ||
| # This workflow requires a repository secret named GH_PROJECT_TOKEN set to a | ||
| # classic Personal Access Token (PAT) with the `project` OAuth scope. | ||
| # See: https://docs.github.com/en/issues/planning-and-tracking-with-projects/automating-your-project/using-the-api-to-manage-projects |
| **Key lesson:** For GitHub Projects V2 GraphQL, `GITHUB_TOKEN` is never sufficient regardless of `permissions` block settings. A classic PAT with `project` OAuth scope (or fine-grained PAT with Projects read/write) is required. Always add a pre-flight secret validation step so failures are immediately actionable. | ||
|
|
||
| **Files changed:** `.github/workflows/squad-mark-released.yml` | ||
| **Related decisions inbox:** `boromir-268-project-token.md` |
| 3. Downgraded `actions/github-script@v9` → `@v7` (stable LTS version) | ||
| 4. Added a top-of-file comment documenting the required PAT scope (`project`) | ||
|
|
||
| **Key lesson:** For GitHub Projects V2 GraphQL, `GITHUB_TOKEN` is never sufficient regardless of `permissions` block settings. A classic PAT with `project` OAuth scope (or fine-grained PAT with Projects read/write) is required. Always add a pre-flight secret validation step so failures are immediately actionable. |
Contributor
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## dev #271 +/- ##
=======================================
Coverage 86.57% 86.57%
=======================================
Files 44 44
Lines 1043 1043
Branches 116 116
=======================================
Hits 903 903
Misses 96 96
Partials 44 44 🚀 New features to boost your workflow:
|
… squad-mark-released (#268) - Replace 'repository-projects: write' (GITHUB_TOKEN only) with 'contents: read' The permissions block was misleading — it has no effect on the custom PAT used by this workflow. The GITHUB_TOKEN is not used for Projects V2 GraphQL calls. - Add pre-flight step that validates GH_PROJECT_TOKEN secret is set and fails early with an actionable error message (setup URL, required scope) if missing. - Downgrade actions/github-script@v9 → @v7 (stable LTS version). - Add top-of-file comment documenting required PAT scope (classic PAT: 'project'). Root cause of GraphQL error: when GH_PROJECT_TOKEN is unset, actions/github-script receives an empty string and effectively uses GITHUB_TOKEN, which cannot access GitHub Projects V2 regardless of the permissions block. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
mpaulosky
force-pushed
the
squad/268-fix-squad-mark-released-permissions
branch
from
May 8, 2026 18:34
abf50c8 to
00639c9
Compare
10 tasks
mpaulosky
added a commit
that referenced
this pull request
May 8, 2026
## Sprint 18 — AppHost MongoDB Dev Commands Refactor This release promotes all Sprint 18 work from `dev` to `main`. ### What's included #### Feature work - **#262** — `refactor(apphost): extract WithClearDatabaseCommand into MongoDbResourceBuilderExtensions` - **#263** — `feat(AppHost): add WithSeedDataCommand for local dev seeding` - **#264** — `feat(AppHost): add WithShowStatsCommand for local dev stats` - **#267** — `refactor: rename _clearMutex to _dbMutex in MongoDbResourceBuilderExtensions` #### CI fixes - **#270** — `fix(ci): Blog → README Sync — push to dev instead of main` - **#271** — `fix(ci): add pre-flight token validation and fix permissions block in squad-mark-released` ### CI status - ✅ **Squad CI** (`ci.yml`) — green on latest `dev` commit -⚠️ **Test Suite** — 1 flaky test failure: `SeedMyBlogData Concurrent Invocations Allow Only One Run` (timing-sensitive concurrency test; race condition in test harness, not production code). All other 47 tests pass. Squad CI gate is the authoritative pass/fail gate. ### Notes - Last release tag: `v1.5.0` - `dev` is 55 commits ahead of `main` - No open Sprint 18 issues, no open PRs - Merge strategy: squash merge per playbook --- ## Release Checklist - [ ] Latest `dev` Squad CI is green ✅ - [ ] Release scope reviewed (Sprint 18 milestone closed, all 4 issues merged) - [ ] Breaking changes documented (none — additive AppHost extension methods only) - [ ] Flaky test acknowledged (`SeedMyBlogData Concurrent` — timing race in test, not prod) - [ ] Release notes drafted (see sprint summary above) - [ ] Aragorn approval received - [ ] Boromir confirms branch state and workflow health - [ ] PR CI passes before merge - [ ] Merge to `main` with squash merge - [ ] Tag `main` with appropriate `vX.Y.Z` after merge + CI green Closes the Sprint 18 release gate. Working as Boromir (DevOps) --------- Co-authored-by: Boromir <boromir@squad.dev> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Working as Boromir (DevOps)
Closes #268
Root Cause
The workflow was failing with
Resource not accessible by integrationbecause:permissions: repository-projects: writeonly controlsGITHUB_TOKEN— it has no effect on a custom PAT passed viagithub-token:GH_PROJECT_TOKENsecret is not set,actions/github-scriptreceives an empty string and falls back to usingGITHUB_TOKEN, which cannot access GitHub Projects V2 GraphQL regardless of the permissions blockChanges
repository-projects: write→contents: read(correct for workflows that rely exclusively on a custom PAT)GH_PROJECT_TOKENis set; fails early with an actionable error message if missing (includes setup instructions and required scope)actions/github-script@v9→@v7(stable LTS version)projectOAuth scope is requiredSetup Required
To make this workflow functional, add
GH_PROJECT_TOKENas a repository secret:projectscopeGH_PROJECT_TOKEN