Skip to content

ci(coverage): push refreshed map via GitHub App token (ruleset bypass) #1465

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sbryngelson merged 1 commit into from
May 30, 2026
+15 −7
Merged

ci(coverage): push refreshed map via GitHub App token (ruleset bypass) #1465

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 15 additions & 7 deletions .github/workflows/coverage-refresh.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,22 +26,30 @@ jobs:
with: { clean: false }
- name: Build + collect coverage map (SLURM)
run: bash .github/scripts/submit-slurm-job.sh .github/workflows/common/coverage-refresh.sh cpu none phoenix
# Mint a short-lived GitHub App installation token. The app is on the master
# ruleset's bypass list (Integration actor), so its push satisfies the
# "require pull request" rule that rejects the default GITHUB_TOKEN.
- name: Generate app token
id: app-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.MAP_BOT_APP_ID }}
private-key: ${{ secrets.MAP_BOT_APP_PRIVATE_KEY }}
- name: Commit refreshed map
env:
CACHE_PUSH_TOKEN: ${{ secrets.CACHE_PUSH_TOKEN }}
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
if ! git diff --quiet tests/coverage_map.json.gz; then
git config user.name "mfc-bot"
git config user.email "mfc-bot@users.noreply.github.com"
git config user.name "mfc-map-bot[bot]"
git config user.email "mfc-map-bot[bot]@users.noreply.github.com"
git add tests/coverage_map.json.gz
# --no-verify: this bot commit stages only the binary coverage map; it
# must not run the repo pre-commit hook (./mfc.sh precheck/spelling),
# which is for source changes and aborts the commit on the runner.
git commit --no-verify -m "test: refresh coverage map [skip ci]"
# Push to protected master via CACHE_PUSH_TOKEN (a PAT/App token with
# contents:write + branch-protection bypass), mirroring deploy-tap.yml's
# x-access-token push. The default GITHUB_TOKEN is rejected by protection.
git push "https://x-access-token:${CACHE_PUSH_TOKEN}@github.com/MFlowCode/MFC.git" HEAD:master
# Push to master via the app installation token. The app is a bypass
# actor on the master ruleset, so the require-PR rule does not reject it.
git push "https://x-access-token:${GH_TOKEN}@github.com/MFlowCode/MFC.git" HEAD:master
else
echo "Coverage map unchanged."
fi
Loading