fix(worker): probe execute GitHub token

2026-04-29 04:03:21 -07:00 · 2026-04-29 04:03:21 -07:00 · 195790bbe8
commit 195790bbe8
parent f844c7bb41
1 changed files with 24 additions and 10 deletions
--- a/.github/workflows/cluster-worker.yml
+++ b/.github/workflows/cluster-worker.yml
@ -252,6 +252,30 @@ jobs:
          permission-pull-requests: write
          permission-workflows: write

+      - name: Select GitHub write token
+        env:
+          CLOWNFISH_APP_GH_TOKEN: ${{ steps.app_token.outputs.token }}
+          CLOWNFISH_WORKFLOW_APP_GH_TOKEN: ${{ steps.workflow_app_token.outputs.token }}
+          CLOWNFISH_WRITE_GH_TOKEN: ${{ secrets.CLOWNFISH_GH_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          for candidate in CLOWNFISH_WRITE_GH_TOKEN CLOWNFISH_WORKFLOW_APP_GH_TOKEN CLOWNFISH_APP_GH_TOKEN GITHUB_TOKEN; do
+            token="${!candidate:-}"
+            if [ -z "$token" ]; then
+              continue
+            fi
+            if GH_TOKEN="$token" gh api "repos/${CLOWNFISH_ALLOWED_OWNER}/openclaw" --jq .full_name >/dev/null 2>/tmp/clownfish-gh-token-check.err; then
+              echo "GH_TOKEN=$token" >> "$GITHUB_ENV"
+              echo "selected $candidate for GitHub write/apply access"
+              exit 0
+            fi
+            echo "::warning::$candidate failed GitHub write/apply probe"
+            sed 's/./*/g' /tmp/clownfish-gh-token-check.err | head -n 1 || true
+          done
+          echo "no GitHub token could reach repos/${CLOWNFISH_ALLOWED_OWNER}/openclaw"
+          exit 1
+
      - uses: actions/setup-node@v5
        with:
          node-version: "24"
@ -300,32 +324,22 @@ jobs:
      - name: Execute credited fix artifact
        if: ${{ env.CLOWNFISH_ALLOW_EXECUTE == '1' && env.CLOWNFISH_ALLOW_FIX_PR == '1' }}
        timeout-minutes: 30
-        env:
-          GH_TOKEN: ${{ secrets.CLOWNFISH_GH_TOKEN || steps.workflow_app_token.outputs.token || steps.app_token.outputs.token || github.token }}
        run: npm run execute-fix -- "${{ inputs.job }}" --latest

      - name: Apply safe closure actions
        if: ${{ env.CLOWNFISH_ALLOW_EXECUTE == '1' }}
-        env:
-          GH_TOKEN: ${{ secrets.CLOWNFISH_GH_TOKEN || steps.workflow_app_token.outputs.token || steps.app_token.outputs.token || github.token }}
        run: npm run apply-result -- "${{ inputs.job }}" --latest

      - name: Post-flight finalize fix PRs
        if: ${{ env.CLOWNFISH_ALLOW_EXECUTE == '1' && env.CLOWNFISH_ALLOW_FIX_PR == '1' }}
-        env:
-          GH_TOKEN: ${{ secrets.CLOWNFISH_GH_TOKEN || steps.workflow_app_token.outputs.token || steps.app_token.outputs.token || github.token }}
        run: npm run post-flight -- "${{ inputs.job }}" --latest

      - name: Apply post-flight closeouts
        if: ${{ env.CLOWNFISH_ALLOW_EXECUTE == '1' }}
-        env:
-          GH_TOKEN: ${{ secrets.CLOWNFISH_GH_TOKEN || steps.workflow_app_token.outputs.token || steps.app_token.outputs.token || github.token }}
        run: npm run apply-result -- "${{ inputs.job }}" --latest

      - name: Tag Clownfish targets
        if: ${{ always() && env.CLOWNFISH_ALLOW_EXECUTE == '1' }}
-        env:
-          GH_TOKEN: ${{ secrets.CLOWNFISH_GH_TOKEN || steps.workflow_app_token.outputs.token || steps.app_token.outputs.token || github.token }}
        run: npm run tag-clownfish -- .projectclownfish/runs --apply --live --open-branches false --report .projectclownfish/runs/clownfish-label-report.json

      - name: Upload final worker artifacts