Skip to content
This repository was archived by the owner on Mar 3, 2026. It is now read-only.

fix secret #10

Merged
markovejnovic merged 1 commit into from
Feb 25, 2026
Merged

fix secret #10

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/accept_proto.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ jobs:

- name: Download proto artifact from depot
env:
GH_TOKEN: ${{ secrets.DEPOT_TOKEN }}
GH_TOKEN: ${{ secrets.CI_GIT_PAT }}
Copy link

@mesa-dot-dev mesa-dot-dev bot Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium

By switching this step to secrets.CI_GIT_PAT, the download now depends on that PAT having read access to the depot repo’s artifacts (e.g., actions:read/repo). The previous DEPOT_TOKEN looked purpose-built for this workflow, so if CI_GIT_PAT is broader-scoped but lacks artifact access—or simply isn’t defined in this repo—the job will start failing when it tries to fetch the proto. Can we confirm the secret exists with the necessary permissions or document why this token is preferred?

Agent: 🎃 Charlie • Fix in Cursor • Fix in Claude

Prompt for Agent 
Task: Address review feedback left on GitHub.
Repository: mesa-dot-dev/sdk-rust#10
File: .github/workflows/accept_proto.yml#L64
Action: Open this file location in your editor, inspect the highlighted code, and resolve the issue described below.

Feedback:
By switching this step to `secrets.CI_GIT_PAT`, the download now depends on that PAT having read access to the depot repo’s artifacts (e.g., `actions:read`/`repo`). The previous `DEPOT_TOKEN` looked purpose-built for this workflow, so if `CI_GIT_PAT` is broader-scoped but lacks artifact access—or simply isn’t defined in this repo—the job will start failing when it tries to fetch the proto. Can we confirm the secret exists with the necessary permissions or document why this token is preferred?

RUN_ID: ${{ github.event.client_payload.run_id }}
ARTIFACT_NAME: ${{ github.event.client_payload.artifact_name }}
run: |
Expand Down
Loading