fix(ci): unblock docs CI — use GITHUB_TOKEN for version fetch + skip bot-blocked link#463
Closed
g-despot wants to merge 2 commits into
Closed
fix(ci): unblock docs CI — use GITHUB_TOKEN for version fetch + skip bot-blocked link#463g-despot wants to merge 2 commits into
g-despot wants to merge 2 commits into
Conversation
…site is live) The community PHP client author link (docs/weaviate/client-libraries/community.md) returns 200 in a browser but 403s GitHub-runner traffic via linkinator, failing PR link validation. Add it to the shared domainsToIgnore list, matching the existing convention for db-engines.com and similar bot-protected domains.
…ed PAT The custom GH_API_TOKEN secret (a PAT) expired, so update-config-versions.js got 401 Unauthorized from the GitHub API and failed the whole job at the 'Update versions from GitHub' step in both PR link validation and the production Build-and-deploy workflow. Switch both to the built-in secrets.GITHUB_TOKEN, matching llms_txt_tests.yml, which already fetches the same public release listings successfully. The env var name GH_API_TOKEN is unchanged so the script needs no edit; GITHUB_TOKEN never expires and needs no rotation.
There was a problem hiding this comment.
Orca Security Scan Summary
| Status | Check | Issues by priority | |
|---|---|---|---|
| Infrastructure as Code | View in Orca | ||
| SAST | View in Orca | ||
| Secrets | View in Orca | ||
| Vulnerabilities | View in Orca |
Contributor
Author
|
Superseded by #464 — moved the same two commits onto |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What was broken
Every docs PR's PR links validation check was failing, and so was the path used by production Build and deploy. Two independent causes:
1. Expired
GH_API_TOKEN(the real blocker)The custom PAT in
secrets.GH_API_TOKENexpired/was revoked._build_scripts/update-config-versions.jssentBearer <expired>to the GitHub API, got 401 Unauthorized, exhausted its retries, and killed the job at the Update versions from GitHub step — before link validation ever ran. This affected bothpull_requests.yamlandbranch.yaml(production deploy).Verified on the live endpoint:
api.github.com/repos/weaviate/weaviate/releasesGITHUB_TOKENgives)Fix: switch the three
secrets.GH_API_TOKENreferences to the built-insecrets.GITHUB_TOKEN, matching whatllms_txt_tests.ymlalready does successfully for the same script. The env var nameGH_API_TOKENis unchanged, so the build script needs no edit.GITHUB_TOKENnever expires and needs no rotation.2.
tim-kleyersburg.defalse positiveThe community PHP-client author link returns 200 in a browser but 403s GitHub-runner traffic (bot protection). Added it to the shared
domainsToIgnorelist, matching the existing convention fordb-engines.comand similar.Testing
node --checkonlink-validator.js; the new ignore entry matches the target URL and notdocs.weaviate.io.