ci: replace add-to-kanban body with token-shim calling meta's composite action#242
Merged
ci: replace add-to-kanban body with token-shim calling meta's composite action#242
Conversation
…te action dotfiles is public, so GitHub's built-in "Accessible from repositories owned by the user" setting on the private tamakiii/meta (which grants the other 4 downstream callers simple remote-action access) does not apply here — that setting is private-caller-only. Instead, check the action out via actions/checkout with a fine-grained PAT scoped to Contents:Read on tamakiii/meta only, then reference it locally. New secret required on this repo: META_READ_PAT — a fine-grained PAT with resource owner 'tamakiii', repository access restricted to 'tamakiii/meta', permission Contents:Read-only (nothing else). Max PAT lifetime is one year, so rotation is a calendar item. The 4 private siblings (claudius/home/myfiles/openclaw-workspace) use the simpler shim without checkout/token. Once this lands, structural changes to the Kanban automation still land as a single PR on tamakiii/meta for all 5 callers — dotfiles just pays a sparse checkout step on every event. Related to tamakiii/meta#458
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Completes the rollout of tamakiii/meta#458 with the token-shim variant. dotfiles is the public outlier among the 5 downstream callers; GitHub's built-in "Accessible from repositories owned by 'tamakiii'" setting on the private tamakiii/meta only grants access to private callers, so dotfiles has to fetch the action directly with a read-only token rather than using the simple remote-action reference.
The shim checks out only
.github/actions/add-to-kanbanfrom meta viaactions/checkout@v5withsparse-checkout, then references it at./.meta-action/.github/actions/add-to-kanban. 28-line workflow instead of the 10-line version used by the 4 private siblings — worth the asymmetry to keep the action body single-sourced.Siblings for reference (all merged, dogfood-green):
Prerequisite: add
META_READ_PATsecret to this repoThe first dogfood run on this PR will fail until the secret is configured. Setup:
tamakiiitamakiii/metaMETA_READ_PATwith the token value.Max PAT lifetime is one year. Note the expiry and set a calendar reminder to rotate (or later upgrade to a dedicated
tamakiii-meta-readerGitHub App for rotation-free auth).Test plan
META_READ_PATis configured: close/reopen this PR to retrigger the workflow. Expect green — PR added to Kanban fix-default-shell #5, flipped to In Progress + Sprint=current; linkedtamakiii/meta#458flips to In Progress + Sprint=current.issues.closedstill moves items to Done + Sprint=current via the token-shim path.Scope note
META_READ_PATscope is intentionally Contents:Read on meta only. If leaked, the blast radius is equivalent to cloning meta — no issue writes, no PR writes, no other repos. This is the minimum scope that makes the workaround work.Related to tamakiii/meta#458.