ci(nightly): surface a clear error when the Gitea API rejects the audit token #840

Merged

marcel merged 1 commits from devops/issue-839-nightly-audit-clear-error into main 2026-06-14 19:58:05 +02:00

Conversation 0 Commits 1 Files Changed 1 +50 -20

marcel commented 2026-06-14 19:31:09 +02:00

Owner

Copy Link

What

The npm-audit job in nightly.yml filed its tracking issue via curl -sf, which collapses every HTTP >= 400 into a bare exit 22. When NIGHTLY_AUDIT_TOKEN is rejected (missing/expired/under-scoped), the step died with an opaque exitcode '22' and no hint at the cause — exactly what happened on run #6707 (the audit correctly found the tmp high advisory, then couldn't authenticate to file the issue).

Change

• Add an api() helper that reads the HTTP status code and, on >= 400, emits an actionable ::error:: naming the status and the NIGHTLY_AUDIT_TOKEN secret (value/scope) before failing the step — never echoing the token value.
• Route all five API calls (list issues, patch, create, list labels, add labels) through it.
• Extend the in-workflow self-test with a mocked-curl check covering both the success path (2xx returns body) and the error path (>= 400 emits ::error::, fails).

Behaviour on success is unchanged; the step still fails non-zero on error (clarity does not mask the failure).

Verification

• Red→green TDD on the helper logic (200/201 return body; 401/500 emit ::error::, return non-zero; token never leaked).
• Integration test with mocked curl: create-new and update-existing paths both work; a 401-on-create now prints a clear ::error:: and fails cleanly instead of exit 22.
• Self-test block executed in-place under set -eo pipefail; YAML parses; npm run lint clean.

Note (not in this PR)

This only fixes the opaque failure mode. The job will still go red by design (exit "$AUDIT_EXIT") while the real tmp advisory (GHSA-ph9p-34f9-6g65) is open, and the token itself must be repaired operationally (recreate the renovate_bot PAT with issue read+write scope and update the secret).

Closes #839

🤖 Generated with Claude Code

## What The `npm-audit` job in `nightly.yml` filed its tracking issue via `curl -sf`, which collapses every HTTP >= 400 into a bare `exit 22`. When `NIGHTLY_AUDIT_TOKEN` is rejected (missing/expired/under-scoped), the step died with an opaque `exitcode '22'` and no hint at the cause — exactly what happened on run #6707 (the audit correctly found the `tmp` high advisory, then couldn't authenticate to file the issue). ## Change - Add an `api()` helper that reads the HTTP status code and, on >= 400, emits an actionable `::error::` naming the status and the `NIGHTLY_AUDIT_TOKEN` secret (value/scope) before failing the step — never echoing the token value. - Route all five API calls (list issues, patch, create, list labels, add labels) through it. - Extend the in-workflow self-test with a mocked-`curl` check covering both the success path (2xx returns body) and the error path (>= 400 emits `::error::`, fails). Behaviour on success is unchanged; the step still fails non-zero on error (clarity does not mask the failure). ## Verification - Red→green TDD on the helper logic (200/201 return body; 401/500 emit `::error::`, return non-zero; token never leaked). - Integration test with mocked `curl`: create-new and update-existing paths both work; a 401-on-create now prints a clear `::error::` and fails cleanly instead of `exit 22`. - Self-test block executed in-place under `set -eo pipefail`; YAML parses; `npm run lint` clean. ## Note (not in this PR) This only fixes the *opaque failure mode*. The job will still go red by design (`exit "$AUDIT_EXIT"`) while the real `tmp` advisory (`GHSA-ph9p-34f9-6g65`) is open, and the token itself must be repaired operationally (recreate the `renovate_bot` PAT with issue read+write scope and update the secret). Closes #839 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel added 1 commit 2026-06-14 19:31:09 +02:00

ci(nightly): surface a clear error when the Gitea API rejects the audit token ... 6dae4fe428

The npm-audit job filed its tracking issue via `curl -sf`, which collapses
every HTTP >=400 into a bare "exit 22". When the NIGHTLY_AUDIT_TOKEN secret is
missing, expired, or under-scoped, the step failed with an opaque
`exitcode '22'` and no hint at the cause (run #6707).

Route all five API calls through an `api()` helper that reads the HTTP status
and, on >=400, emits an actionable `::error::` naming the status and the token
secret before failing — without ever echoing the token value. Extend the
in-workflow self-test (mocked curl) to cover both the success and HTTP-error
paths.

Closes #839
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

marcel added the P2-mediumdevops labels 2026-06-14 19:31:11 +02:00

marcel merged commit 6dae4fe428 into main 2026-06-14 19:58:05 +02:00

marcel deleted branch devops/issue-839-nightly-audit-clear-error 2026-06-14 19:58:06 +02:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

needs-discussion

Has an open decision or design question that must be resolved before implementation can start.

needs-review

Spec is drafted and awaiting the multi-persona /review-issue gate.

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

spec-required

Feature whose contract is its issue body (EARS REQ-NNN); the spec must pass review before implementation.

test

ui

UI/UX and accessibility issues

user

No Label P2-medium devops

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens renovate_bot marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#840