diff --git a/.github/workflows/bump-platform-submodule.yml b/.github/workflows/bump-platform-submodule.yml index 2253a9d..6cde1cb 100644 --- a/.github/workflows/bump-platform-submodule.yml +++ b/.github/workflows/bump-platform-submodule.yml @@ -41,7 +41,12 @@ jobs: run: | set -euo pipefail - AUTH_HEADER="Authorization: bearer ${PLATFORM_BUMP_TOKEN}" + # GitHub's git-over-HTTPS smart protocol expects Basic auth with + # `x-access-token:` (Bearer works for the REST API but not + # for `git push`/`git fetch`). Matches actions/checkout's own + # internal extraheader format. + AUTH_B64=$(printf '%s' "x-access-token:${PLATFORM_BUMP_TOKEN}" | base64 -w0) + AUTH_HEADER="Authorization: basic ${AUTH_B64}" git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" diff --git a/CHANGELOG.md b/CHANGELOG.md index 40039d7..8e658a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,9 @@ # Changelog -## 0.0.11-beta.3 — 2026-05-25 +## 0.0.11-beta.3 — 2026-05-28 + +### Fixes +- Fix the `bump-platform-submodule.yml` workflow's first post-merge push, which failed with `fatal: could not read Username for 'https://github.com'`. The `persist-credentials: false` hardening from #394 left the cross-repo `git push`/`fetch` unauthenticated, and the inline `Authorization: bearer …` extraheader only authenticates GitHub's REST API — git-over-HTTPS smart-protocol expects Basic auth with `x-access-token:`. Switch to a base64-encoded Basic header (matching `actions/checkout`'s own internal extraheader format) so the push and the rebase-and-retry fetch in the loop both authenticate (#395). ### Features - Add a `bump-platform-submodule.yml` workflow that pushes a matching `failproofai/oss` gitlink bump to `FailproofAI/platform` `main` on every merge into this repo's `main`, so the monorepo's pinned submodule commit tracks upstream automatically. Uses a `PLATFORM_BUMP_TOKEN` repo secret (fine-grained PAT, contents: read & write on `FailproofAI/platform`) for cross-repo auth, a concurrency group to serialize back-to-back merges, and a rebase-and-retry loop to stay race-safe against humans pushing to platform `main` between checkout and push (#394).