chore(ci): update repo homepage after docs deploy#149
Conversation
Writes the deployed GitHub Pages URL back to the repo's `homepage` field so it renders in the About sidebar on the repo page. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
WalkthroughThe Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/docs.yml:
- Line 13: Replace the invalid permissions key and switch to a proper admin
token: remove the line "administration: write" and instead set only valid
permissions (e.g., "contents: write" or "pages: write" as appropriate) in the
permissions block; then stop using secrets.GITHUB_TOKEN for the PATCH
/repos/{owner}/{repo} call and use a stored personal access token or GitHub App
token with repository admin rights (e.g., secrets.ADMIN_TOKEN or secrets.PAT)
for that step so the homepage update succeeds.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 04cd1c87-6f84-4445-ab6d-58e6275f968d
📒 Files selected for processing (1)
.github/workflows/docs.yml
| contents: read | ||
| pages: write | ||
| id-token: write | ||
| administration: write |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GitHub Actions workflow syntax: is administrationa supported key under top-levelpermissions? Please list the currently supported permission keys from official docs.
💡 Result:
No, administration is not a supported key under the top-level permissions key in GitHub Actions workflow syntax. The supported permission keys, as listed in the official GitHub documentation for workflow syntax, are: - actions - attestations (mentioned in secondary sources) - checks - contents - deployments - discussions - id-token - issues - packages - pages - pull-requests - repository-projects - security-events - statuses Additionally, shorthands like read-all, write-all, and {} (none) are supported. These permissions control access for the GITHUB_TOKEN. The key administration appears in GitHub App permissions or Enterprise contexts but is not available for workflow permissions.
Citations:
- 1: https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions
- 2: https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax
- 3: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
- 4: https://docs.github.com/en/actions/reference/github_token-reference
- 5: https://dev.to/pwd9000/fgjgghjgh-19ka
- 6: https://github.github.com/gh-aw/reference/permissions/
- 7: https://pdsinterop.org/docs/development/github-actions/github-actions.permissions
- 8: https://docs.github.com/actions/reference/workflow-syntax-for-github-actions
- 9: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
- 10: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
- 11: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
🌐 Web query:
For GitHub REST API PATCH /repos/{owner}/{repo}(updatinghomepage), what token type and exact repository permission are required? Does GITHUB_TOKEN from Actions support this operation?
💡 Result:
For the GitHub REST API PATCH /repos/{owner}/{repo} endpoint to update the repository homepage, the token must provide admin access to the repository. This corresponds to the 'repo' OAuth scope for classic personal access tokens or fine-grained tokens, or repository 'Administration' write permission. The endpoint example shows updating 'homepage' without explicit permission notes beyond admin for certain fields like security_and_analysis, but deleting the repo explicitly requires admin, and repo updates generally require admin permissions. The GITHUB_TOKEN from GitHub Actions does not support this operation with standard permissions. GITHUB_TOKEN has limited scopes equivalent to specific granular permissions (contents:write, issues:write, etc.), but lacks 'Administration' write permission needed for repository settings updates like homepage. StackOverflow confirms GITHUB_TOKEN cannot perform repository settings changes, requiring a PAT or GitHub App with broader access. Permissions can be set in workflows, but repository administration is not among available GITHUB_TOKEN permissions.
Citations:
- 1: https://docs.github.com/en/rest/repos/repos
- 2: https://docs.github.com/rest/repos/repos
- 3: https://docs.github.com/en/rest/repos/repos?apiVersion=2026-03-10
- 4: https://docs.github.com/en/rest/authentication/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2026-03-10
- 5: https://stackoverflow.com/questions/77693765/github-actions-token-permissions-to-change-repository-settings
- 6: https://docs.github.com/actions/reference/authentication-in-a-workflow
Remove invalid permission scope and use appropriate token for repository admin operation.
Line 13 uses administration: write, which is not a valid GitHub Actions permissions key (only: actions, attestations, checks, contents, deployments, discussions, id-token, issues, packages, pages, pull-requests, repository-projects, security-events, statuses). Additionally, lines 44-46 attempt to use secrets.GITHUB_TOKEN for PATCH /repos/{owner}/{repo}, which requires admin-level repository permission that GITHUB_TOKEN cannot grant. The workflow will fail at validation and/or return 403 at runtime.
Replace administration: write with a valid permission or remove if unneeded, and use a personal access token or GitHub App token with admin repository access for the homepage update operation.
🧰 Tools
🪛 actionlint (1.7.12)
[error] 13-13: unknown permission scope "administration". all available permission scopes are "actions", "artifact-metadata", "attestations", "checks", "contents", "deployments", "discussions", "id-token", "issues", "models", "packages", "pages", "pull-requests", "repository-projects", "security-events", "statuses"
(permissions)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/docs.yml at line 13, Replace the invalid permissions key
and switch to a proper admin token: remove the line "administration: write" and
instead set only valid permissions (e.g., "contents: write" or "pages: write" as
appropriate) in the permissions block; then stop using secrets.GITHUB_TOKEN for
the PATCH /repos/{owner}/{repo} call and use a stored personal access token or
GitHub App token with repository admin rights (e.g., secrets.ADMIN_TOKEN or
secrets.PAT) for that step so the homepage update succeeds.
* chore: release v0.2.0 First tagged release. Contents of community-improvements project: M1 — Security Hardening (A2A bearer auth, audit redaction, origin verification) M2 — Memory On By Default (session persistence + load-on-start) M3 — Skill Loop (skill-v1 emission + SQLite FTS5 index + curator) Plus: .gitignore cleanup for .automaker-lock + .worktrees, docs coverage of security layer, skill-loop architecture, and new env vars. Manual bump because prepare-release.yml requires GH_PAT secret (not configured). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: release v0.2.1 Bug fixes from v0.2.0 smoke testing: - Agent card now advertises bearer scheme when A2A_AUTH_TOKEN is set - Session memory persistence actually fires (moved from unreachable on_session_end to after_agent) - Test suite collects cleanly in fresh Docker env - MemoryMiddleware activates standalone (without knowledge_store) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(ci): update repo homepage after docs deploy (#149) Writes the deployed GitHub Pages URL back to the repo's `homepage` field so it renders in the About sidebar on the repo page. Co-authored-by: Automaker <automaker@localhost> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(llm): override OpenAI SDK User-Agent to bypass Cloudflare WAF Cloudflare's managed WAF on the proto-labs.ai zone returns 403 "Your request was blocked" for any request whose User-Agent starts with `OpenAI/Python` or `AsyncOpenAI/Python` — which is exactly what langchain_openai.ChatOpenAI sends by default via the bundled OpenAI SDK. /v1/models succeeded (different SDK path / UA) while /v1/chat/completions failed, making the break look like a key/ACL issue when it was a header signature match. Reproduction (before fix): curl -H 'User-Agent: OpenAI/Python 1.54.0' -H 'Authorization: Bearer <key>' \ https://api.proto-labs.ai/v1/chat/completions -d '{...}' -> HTTP 403 "Your request was blocked." The same call with User-Agent: curl/*, python-httpx/*, or any non-OpenAI string returns 200. `tools/lg_tools.py:226` already sets a protoAgent UA for outbound HTTP fetches — reuse that identifier here so every egress presents a consistent, allowlisted UA. Alternative fixes considered: - A Cloudflare Custom WAF Skip rule on the hostname: cleaner at the edge but requires a zone-scoped token and couples agent operability to infra config. - Stripping the UA header at cloudflared: not possible; WAF fires before the tunnel sees the request. The in-client override is the most portable fix: self-hosters on a different edge keep working, operators behind Cloudflare stop getting 403s. --------- Co-authored-by: Automaker <automaker@localhost> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Ava <ava@protolabs.ai>
1 participant
Summary
homepagefield so it renders in the About sidebar.administration: writepermission soGITHUB_TOKENcan PATCH the repo metadata.Test plan
Summary by CodeRabbit