From bb4f82b79516589eb4e954a4176e0a3fc7ebdad3 Mon Sep 17 00:00:00 2001 From: Jonathan Miller Date: Sat, 18 Apr 2026 10:54:56 -0500 Subject: [PATCH] =?UTF-8?q?Fix=20workflows:=20github-script=E2=86=92curl,?= =?UTF-8?q?=20jmiller-moko=E2=86=92jmiller,=20--jq=E2=86=92pipe=20jq?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - repo_health.yml: replaced actions/github-script permission check with Gitea API curl call - All workflows: jmiller-moko → jmiller (Gitea username) - All workflows: --jq flag (gh CLI) → pipe through jq -r - branch-freeze/repository-cleanup: --paginate/--input → curl equivalents Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/auto-assign.yml | 4 +- .github/workflows/auto-dev-issue.yml | 4 +- .github/workflows/branch-freeze.yml | 4 +- .github/workflows/repo_health.yml | 96 ++++++++++------------ .github/workflows/repository-cleanup.yml | 12 +-- .github/workflows/standards-compliance.yml | 4 +- .github/workflows/update-server.yml | 4 +- 7 files changed, 60 insertions(+), 68 deletions(-) diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml index 1aafbc0..4d38fc6 100644 --- a/.github/workflows/auto-assign.yml +++ b/.github/workflows/auto-assign.yml @@ -7,7 +7,7 @@ # REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards # PATH: /.github/workflows/auto-assign.yml # VERSION: 04.06.00 -# BRIEF: Auto-assign jmiller-moko to unassigned issues and PRs every 15 minutes +# BRIEF: Auto-assign jmiller to unassigned issues and PRs every 15 minutes name: Auto-Assign Issues & PRs @@ -35,7 +35,7 @@ jobs: GH_TOKEN: ${{ secrets.GA_TOKEN || github.token }} run: | REPO="${{ github.repository }}" - ASSIGNEE="jmiller-moko" + ASSIGNEE="jmiller" echo "## 🏷️ Auto-Assign Report" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/auto-dev-issue.yml b/.github/workflows/auto-dev-issue.yml index 55af5da..ba7c14b 100644 --- a/.github/workflows/auto-dev-issue.yml +++ b/.github/workflows/auto-dev-issue.yml @@ -135,7 +135,7 @@ jobs: --title "$SUB_FULL_TITLE" \ --body "$SUB_BODY" \ --label "${SUB_LABELS}" \ - --assignee "jmiller-moko" 2>&1) + --assignee "jmiller" 2>&1) SUB_NUM=$(echo "$SUB_URL" | grep -oE '[0-9]+$') if [ -n "$SUB_NUM" ]; then @@ -154,7 +154,7 @@ jobs: --title "$TITLE" \ --body "$PARENT_BODY" \ --label "${LABEL_TYPE},version" \ - --assignee "jmiller-moko" 2>&1) + --assignee "jmiller" 2>&1) PARENT_NUM=$(echo "$PARENT_URL" | grep -oE '[0-9]+$') diff --git a/.github/workflows/branch-freeze.yml b/.github/workflows/branch-freeze.yml index 0275786..dc334f2 100644 --- a/.github/workflows/branch-freeze.yml +++ b/.github/workflows/branch-freeze.yml @@ -46,7 +46,7 @@ jobs: ACTOR="${{ github.actor }}" REPO="${{ github.repository }}" PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${{GITEA_URL:-https://git.mokoconsulting.tech}}/api/v1/repos/${{ github.repository }}/collaborators/${ACTOR}/permission" 2>/dev/null \ - --jq '.permission' 2>/dev/null || echo "read") + 2>/dev/null | jq -r '.permission' || echo "read") if [ "$PERMISSION" != "admin" ]; then echo "Denied: only admins can freeze/unfreeze branches (${ACTOR} has ${PERMISSION})" exit 1 @@ -80,7 +80,7 @@ jobs: printf '"conditions":{"ref_name":{"include":["refs/heads/%s"],"exclude":[]}},' "${BRANCH}" >> /tmp/ruleset.json printf '"rules":[{"type":"update"},{"type":"deletion"},{"type":"non_fast_forward"}]}' >> /tmp/ruleset.json - RESULT=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${{GITEA_URL:-https://git.mokoconsulting.tech}}/api/v1/repos/${{ github.repository }}/rulesets" 2>/dev/null -X POST --input /tmp/ruleset.json --jq '.id' 2>&1) || true + RESULT=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${{GITEA_URL:-https://git.mokoconsulting.tech}}/api/v1/repos/${{ github.repository }}/rulesets" 2>/dev/null -X POST -d @/tmp/ruleset.json 2>&1 | jq -r '.id') || true if echo "$RESULT" | grep -qE '^[0-9]+$'; then echo "Frozen \`${BRANCH}\` — ruleset #${RESULT}" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/repo_health.yml b/.github/workflows/repo_health.yml index 2914787..f4193b7 100644 --- a/.github/workflows/repo_health.yml +++ b/.github/workflows/repo_health.yml @@ -87,62 +87,54 @@ jobs: steps: - name: Check actor permission (admin only) id: perm - uses: actions/github-script@v7 - with: - github-token: ${{ secrets.GH_TOKEN }} - script: | - const actor = context.actor; - let permission = "unknown"; - let allowed = false; - let method = ""; + run: | + ACTOR="${{ github.actor }}" + REPO="${{ github.repository }}" + TOKEN="${{ secrets.GA_TOKEN }}" + GITEA_API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1" - // Hardcoded authorized users — always allowed - const authorizedUsers = ["jmiller-moko", "gitea-actions[bot]"]; - if (authorizedUsers.includes(actor)) { - allowed = true; - permission = "admin"; - method = "hardcoded allowlist"; - } else { - // Check via API for other actors - try { - const res = await github.rest.repos.getCollaboratorPermissionLevel({ - owner: context.repo.owner, - repo: context.repo.repo, - username: actor, - }); - permission = (res?.data?.permission || "unknown").toLowerCase(); - allowed = permission === "admin" || permission === "maintain"; - method = "repo collaborator API"; - } catch (error) { - core.warning(`Could not fetch permissions for '${actor}': ${error.message}`); - permission = "unknown"; - allowed = false; - method = "API error"; - } - } + PERMISSION="unknown" + ALLOWED="false" + METHOD="" - core.setOutput("permission", permission); - core.setOutput("allowed", allowed ? "true" : "false"); + # Hardcoded authorized users + if [ "$ACTOR" = "jmiller" ] || [ "$ACTOR" = "gitea-actions[bot]" ]; then + PERMISSION="admin" + ALLOWED="true" + METHOD="hardcoded allowlist" + else + # Check via Gitea API + RESULT=$(curl -sf -H "Authorization: token ${TOKEN}" \ + "${GITEA_API}/repos/${REPO}/collaborators/${ACTOR}/permission" 2>/dev/null || echo '{}') + PERMISSION=$(echo "$RESULT" | jq -r '.permission // "unknown"') + if [ "$PERMISSION" = "admin" ] || [ "$PERMISSION" = "owner" ] || [ "$PERMISSION" = "maintain" ]; then + ALLOWED="true" + fi + METHOD="Gitea collaborator API" + fi - const lines = [ - "## 🔐 Access Authorization", - "", - "| Field | Value |", - "|-------|-------|", - `| **Actor** | \`${actor}\` |`, - `| **Repository** | \`${context.repo.owner}/${context.repo.repo}\` |`, - `| **Permission** | \`${permission}\` |`, - `| **Method** | ${method} |`, - `| **Authorized** | ${allowed} |`, - `| **Trigger** | \`${context.eventName}\` |`, - `| **Branch** | \`${context.ref.replace('refs/heads/', '')}\` |`, - "", - allowed - ? `✅ ${actor} authorized (${method})` - : `❌ ${actor} is NOT authorized. Requires admin or maintain role, or be in the hardcoded allowlist.`, - ]; + echo "permission=${PERMISSION}" >> "$GITHUB_OUTPUT" + echo "allowed=${ALLOWED}" >> "$GITHUB_OUTPUT" - await core.summary.addRaw(lines.join("\n")).write(); + { + echo "## 🔐 Access Authorization" + echo "" + echo "| Field | Value |" + echo "|-------|-------|" + echo "| **Actor** | \`${ACTOR}\` |" + echo "| **Repository** | \`${REPO}\` |" + echo "| **Permission** | \`${PERMISSION}\` |" + echo "| **Method** | ${METHOD} |" + echo "| **Authorized** | ${ALLOWED} |" + echo "| **Trigger** | \`${{ github.event_name }}\` |" + echo "| **Branch** | \`${GITHUB_REF#refs/heads/}\` |" + echo "" + if [ "$ALLOWED" = "true" ]; then + echo "✅ ${ACTOR} authorized (${METHOD})" + else + echo "❌ ${ACTOR} is NOT authorized. Requires admin or maintain role." + fi + } >> "$GITHUB_STEP_SUMMARY" - name: Deny execution when not permitted if: ${{ steps.perm.outputs.allowed != 'true' }} diff --git a/.github/workflows/repository-cleanup.yml b/.github/workflows/repository-cleanup.yml index 6c203ce..8a17a97 100644 --- a/.github/workflows/repository-cleanup.yml +++ b/.github/workflows/repository-cleanup.yml @@ -80,7 +80,7 @@ jobs: echo "✅ Scheduled run — authorized" exit 0 fi - AUTHORIZED_USERS="jmiller-moko gitea-actions[bot]" + AUTHORIZED_USERS="jmiller gitea-actions[bot]" for user in $AUTHORIZED_USERS; do if [ "$ACTOR" = "$user" ]; then echo "✅ ${ACTOR} authorized" @@ -88,7 +88,7 @@ jobs: fi done PERMISSION=$(gh api "repos/${{ github.repository }}/collaborators/${ACTOR}/permission" \ - --jq '.permission' 2>/dev/null) + 2>/dev/null | jq -r '.permission') case "$PERMISSION" in admin|maintain) echo "✅ ${ACTOR} has ${PERMISSION}" ;; *) echo "❌ Admin or maintain required"; exit 1 ;; @@ -191,7 +191,7 @@ jobs: echo "## 🏷️ Label Reset" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY - curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${{GITEA_URL:-https://git.mokoconsulting.tech}}/api/v1/repos/${{ github.repository }}/labels?per_page=100" 2>/dev/null --paginate --jq '.[].name' | while read -r label; do + curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${{GITEA_URL:-https://git.mokoconsulting.tech}}/api/v1/repos/${{ github.repository }}/labels?per_page=100" 2>/dev/null | jq -r '.[].name' | while read -r label; do ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$label', safe=''))") gh api -X DELETE "repos/${REPO}/labels/${ENCODED}" --silent 2>/dev/null || true done @@ -278,7 +278,7 @@ jobs: curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${{GITEA_URL:-https://git.mokoconsulting.tech}}/api/v1/repos/${{ github.repository }}/branches?per_page=100" | jq -r '.[].name' 2>/dev/null | \ grep "^chore/sync-mokostandards" | \ grep -v "^${CURRENT}$" | while read -r branch; do - gh pr list --repo "$REPO" --head "$branch" --state open --json number --jq '.[].number' 2>/dev/null | while read -r pr; do + gh pr list --repo "$REPO" --head "$branch" --state open --json number 2>/dev/null | jq -r '.[].number' | while read -r pr; do gh pr close "$pr" --repo "$REPO" --comment "Superseded by \`${CURRENT}\`" 2>/dev/null || true echo " Closed PR #${pr}" >> $GITHUB_STEP_SUMMARY done @@ -305,7 +305,7 @@ jobs: # Delete cancelled and stale workflow runs for status in cancelled stale; do curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${{GITEA_URL:-https://git.mokoconsulting.tech}}/api/v1/repos/${{ github.repository }}/actions/runs?status=${status}&per_page=100" 2>/dev/null \ - --jq '.workflow_runs[].id' 2>/dev/null | while read -r run_id; do + 2>/dev/null | jq -r '.workflow_runs[].id' | while read -r run_id; do gh api -X DELETE "repos/${REPO}/actions/runs/${run_id}" --silent 2>/dev/null || true DELETED=$((DELETED+1)) done @@ -327,7 +327,7 @@ jobs: DELETED=0 curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${{GITEA_URL:-https://git.mokoconsulting.tech}}/api/v1/repos/${{ github.repository }}/actions/runs?created=<${CUTOFF}&per_page=100" 2>/dev/null \ - --jq '.workflow_runs[].id' 2>/dev/null | while read -r run_id; do + 2>/dev/null | jq -r '.workflow_runs[].id' | while read -r run_id; do gh api -X DELETE "repos/${REPO}/actions/runs/${run_id}/logs" --silent 2>/dev/null || true DELETED=$((DELETED+1)) done diff --git a/.github/workflows/standards-compliance.yml b/.github/workflows/standards-compliance.yml index 5435bea..bcc037a 100644 --- a/.github/workflows/standards-compliance.yml +++ b/.github/workflows/standards-compliance.yml @@ -2577,7 +2577,7 @@ jobs: gh label create "$LABEL" --repo "$REPO" --color "D73A4A" --description "Standards compliance failure" --force 2>/dev/null || true EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${{GITEA_URL:-https://git.mokoconsulting.tech}}/api/v1/repos/${{ github.repository }}/issues?labels=${LABEL}&state=all&per_page=1&sort=created&direction=desc" 2>/dev/null \ - --jq '.[0].number' 2>/dev/null) + 2>/dev/null | jq -r '.[0].number') if [ -n "$EXISTING" ] && [ "$EXISTING" != "null" ]; then curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${{GITEA_URL:-https://git.mokoconsulting.tech}}/api/v1/repos/${{ github.repository }}/issues/${EXISTING}" 2>/dev/null -X PATCH \ @@ -2585,7 +2585,7 @@ jobs: echo "Updated issue #${EXISTING}" else gh issue create --repo "$REPO" --title "$TITLE" --body "$BODY" \ - --label "$LABEL" --assignee "jmiller-moko" + --label "$LABEL" --assignee "jmiller" fi # CUSTOMIZATION: diff --git a/.github/workflows/update-server.yml b/.github/workflows/update-server.yml index 7ef6ebe..cd98804 100644 --- a/.github/workflows/update-server.yml +++ b/.github/workflows/update-server.yml @@ -294,9 +294,9 @@ jobs: ACTOR="${{ github.actor }}" REPO="${{ github.repository }}" PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${{GITEA_URL:-https://git.mokoconsulting.tech}}/api/v1/repos/${{ github.repository }}/collaborators/${ACTOR}/permission" 2>/dev/null \ - --jq '.permission' 2>/dev/null || \ + 2>/dev/null | jq -r '.permission' || \ curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${{GITEA_URL:-https://git.mokoconsulting.tech}}/api/v1/repos/${{ github.repository }}/collaborators/${ACTOR}" 2>/dev/null \ - --jq '.role' 2>/dev/null || echo "read") + 2>/dev/null | jq -r '.role' || echo "read") case "$PERMISSION" in admin|maintain|write) ;; *)