From f1c6673e03db35d27575859d2d66ba9b205dd868 Mon Sep 17 00:00:00 2001 From: Hongming Wang Date: Tue, 28 Apr 2026 18:28:01 -0700 Subject: [PATCH] fix(ci): hard-fail publish-runtime cascade on push when token missing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mirror the sweep-cf-orphans hardening (#2248) on publish-runtime's TEMPLATE_DISPATCH_TOKEN gate. The previous behaviour was to print ::warning::skipping cascade — templates will pick up the new version on their own next rebuild and exit 0. That message is wrong: the 8 workspace-template repos only rebuild on this repository_dispatch fanout. Without the dispatch they stay pinned to whatever runtime version they last saw, and the gap is invisible until someone notices a template several versions behind weeks later. Behaviour after this PR: - push (auto-trigger on workspace/runtime/** changes) → exit 1 - workflow_dispatch (manual operator) → exit 0 with a warning (operator already accepted state; let them rerun after restoring the secret) The token-missing path now also names the consequence concretely ("templates will NOT pick up the new version until this token is restored") so future operators see the actionable line, not the misleading "they'll catch up on their own" message. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/publish-runtime.yml | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-runtime.yml b/.github/workflows/publish-runtime.yml index 516f8f98..80fdf737 100644 --- a/.github/workflows/publish-runtime.yml +++ b/.github/workflows/publish-runtime.yml @@ -419,9 +419,32 @@ jobs: RUNTIME_VERSION: ${{ needs.publish.outputs.version }} run: | set +e # don't abort on a single repo failure — collect them all + # Schedule-vs-dispatch behaviour split (hardened 2026-04-28 + # after the sweep-cf-orphans soft-skip incident — same class + # of bug): + # + # The earlier "skipping cascade. templates will pick up the + # new version on their own next rebuild" message was wrong — + # templates only build on this dispatch trigger; without it + # they stay pinned to whatever runtime version they last saw. + # A silent skip here means "PyPI is current, templates are + # not" and the gap is invisible until someone notices a + # template still on the old version weeks later. + # + # - push → exit 1 (red CI surfaces the gap) + # - workflow_dispatch → exit 0 with a warning (operator + # ran this ad-hoc; let them rerun + # after fixing the secret) if [ -z "$DISPATCH_TOKEN" ]; then - echo "::warning::TEMPLATE_DISPATCH_TOKEN secret not set — skipping cascade. PyPI was published; templates will pick up the new version on their own next rebuild." - exit 0 + if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then + echo "::warning::TEMPLATE_DISPATCH_TOKEN secret not set — skipping cascade." + echo "::warning::set it at Settings → Secrets and Variables → Actions, then rerun. Templates will stay on the prior runtime version until either this token is set or each template is rebuilt manually." + exit 0 + fi + echo "::error::TEMPLATE_DISPATCH_TOKEN secret missing — cascade cannot fan out." + echo "::error::PyPI was published, but the 8 template repos will NOT pick up the new version until this token is restored and a republish dispatches the cascade." + echo "::error::set it at Settings → Secrets and Variables → Actions; then re-trigger publish-runtime via workflow_dispatch." + exit 1 fi VERSION="$RUNTIME_VERSION" if [ -z "$VERSION" ]; then