devops(ci): nightly npm-audit fails with an opaque exit 22 when the Gitea API rejects NIGHTLY_AUDIT_TOKEN #839

New Issue

Closed

opened 2026-06-14 19:21:30 +02:00 by marcel · 0 comments

marcel commented 2026-06-14 19:21:30 +02:00

Owner

Copy Link

Problem

When the npm-audit job in .gitea/workflows/nightly.yml finds a high/critical advisory, it tries to file/patch a Gitea tracking issue via curl -sf. If the Gitea API rejects the request (HTTP >= 400 — e.g. the NIGHTLY_AUDIT_TOKEN secret is missing, expired, or lacks issue read+write scope), curl --fail exits 22 and set -e aborts the step with a bare:

exitcode '22': failure

No indication that the cause is the token. This already bit us: run #6707 failed with exit 22 because the audit correctly found the tmp high advisory (GHSA-ph9p-34f9-6g65, via patch-package), then could not authenticate to file the tracking issue. The failure was indistinguishable from a logic bug.

Root cause

curl -sf collapses every HTTP error into exit 22 with no message. The five API calls in the audit branch (list issues, patch, create, list labels, add labels) all share this failure mode.

Acceptance criteria

• REQ-001: When a Gitea API call in the npm-audit step returns HTTP >= 400, the step MUST emit a ::error:: annotation naming the HTTP status and pointing at the NIGHTLY_AUDIT_TOKEN secret (value/scope) as the likely cause, instead of a bare exitcode 22.
• REQ-002: The step MUST still fail (non-zero exit) on such an error — clarity must not mask the failure.
• REQ-003: The NIGHTLY_AUDIT_TOKEN value MUST NOT appear in logs or in the error message.
• REQ-004: On a successful (HTTP < 400) call, behaviour is unchanged — the response body is returned to the caller as before.
• REQ-005: An in-workflow self-test (mirroring the existing jq self-test) MUST cover both the HTTP-error path (emits ::error::, fails) and the success path (returns body) using a mocked transport.

Out of scope

• Fixing the tmp advisory itself (separate dependency bump).
• Rotating/recreating the NIGHTLY_AUDIT_TOKEN PAT (operational, not code).

## Problem When the `npm-audit` job in `.gitea/workflows/nightly.yml` finds a high/critical advisory, it tries to file/patch a Gitea tracking issue via `curl -sf`. If the Gitea API rejects the request (HTTP >= 400 — e.g. the `NIGHTLY_AUDIT_TOKEN` secret is missing, expired, or lacks issue read+write scope), `curl --fail` exits **22** and `set -e` aborts the step with a bare: ``` exitcode '22': failure ``` No indication that the cause is the token. This already bit us: run #6707 failed with exit 22 because the audit correctly found the `tmp` high advisory (`GHSA-ph9p-34f9-6g65`, via `patch-package`), then could not authenticate to file the tracking issue. The failure was indistinguishable from a logic bug. ## Root cause `curl -sf` collapses every HTTP error into exit 22 with no message. The five API calls in the audit branch (list issues, patch, create, list labels, add labels) all share this failure mode. ## Acceptance criteria - REQ-001: When a Gitea API call in the npm-audit step returns HTTP >= 400, the step MUST emit a `::error::` annotation naming the HTTP status and pointing at the `NIGHTLY_AUDIT_TOKEN` secret (value/scope) as the likely cause, instead of a bare `exitcode 22`. - REQ-002: The step MUST still fail (non-zero exit) on such an error — clarity must not mask the failure. - REQ-003: The `NIGHTLY_AUDIT_TOKEN` value MUST NOT appear in logs or in the error message. - REQ-004: On a successful (HTTP < 400) call, behaviour is unchanged — the response body is returned to the caller as before. - REQ-005: An in-workflow self-test (mirroring the existing jq self-test) MUST cover both the HTTP-error path (emits `::error::`, fails) and the success path (returns body) using a mocked transport. ## Out of scope - Fixing the `tmp` advisory itself (separate dependency bump). - Rotating/recreating the `NIGHTLY_AUDIT_TOKEN` PAT (operational, not code).

marcel added the P2-mediumdevops labels 2026-06-14 19:21:30 +02:00

marcel referenced this issue from a commit 2026-06-14 19:30:51 +02:00

ci(nightly): surface a clear error when the Gitea API rejects the audit token

marcel referenced a pull request that will close this issue 2026-06-14 19:31:09 +02:00

ci(nightly): surface a clear error when the Gitea API rejects the audit token #840

marcel closed this issue 2026-06-14 19:58:06 +02:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/issue-837-relationship-edit-dates

feat/issue-818-renovate-nightly-audit

feat/issue-803-geschichten-document-filter-chip

worktree-feat+issue-738-nl-search-backend

feat/issue-286-notification-bell-form-actions

feat/issue-580-sentry-backend

fix/issue-593-management-port-zero

worktree-feat+issue-557-upload-artifact-v3-pin

worktree-chore+issue-556-drop-client-branches-coverage-gate

fix/issue-514-prerender-crawl-bakes-redirects

fix/issue-472-prerender-entries

feat/issue-395-readme

feat/issue-345-bulk-mark-reviewed

feat/issue-344-bell-tooltip

feat/issue-341-annotieren-contrast

feat/issue-225-bulk-metadata-edit

feat/issue-317-bulk-upload

feat/issue-271-dashboard-redesign

docs/issue-240-mission-control-spec

refactor/issues-193-200

feat/issue-162-korrespondenz-redesign

feature/68-new-document-file-first

feat/81-discussion-discoverability

feat/62-document-bottom-panel

feature/56-backfill-file-hashes

feat/38-document-edit-history

fix/svelte5-test-delegation-and-login-auth

No results found.

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

needs-discussion

Has an open decision or design question that must be resolved before implementation can start.

needs-review

Spec is drafted and awaiting the multi-persona /review-issue gate.

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

spec-required

Feature whose contract is its issue body (EARS REQ-NNN); the spec must pass review before implementation.

test

ui

UI/UX and accessibility issues

user

No Label P2-medium devops

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens renovate_bot marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#839