Skip to content

fix(ci): unblock docs CI — use GITHUB_TOKEN for version fetch + skip bot-blocked link#463

Closed
g-despot wants to merge 2 commits into
mainfrom
fix/link-validator-ignore-tim-kleyersburg
Closed

fix(ci): unblock docs CI — use GITHUB_TOKEN for version fetch + skip bot-blocked link#463
g-despot wants to merge 2 commits into
mainfrom
fix/link-validator-ignore-tim-kleyersburg

Conversation

@g-despot

@g-despot g-despot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

What was broken

Every docs PR's PR links validation check was failing, and so was the path used by production Build and deploy. Two independent causes:

1. Expired GH_API_TOKEN (the real blocker)

The custom PAT in secrets.GH_API_TOKEN expired/was revoked. _build_scripts/update-config-versions.js sent Bearer <expired> to the GitHub API, got 401 Unauthorized, exhausted its retries, and killed the job at the Update versions from GitHub step — before link validation ever ran. This affected both pull_requests.yaml and branch.yaml (production deploy).

Verified on the live endpoint:

Auth api.github.com/repos/weaviate/weaviate/releases
valid bearer (what GITHUB_TOKEN gives) 200
expired/bad bearer (current state) 401
no token 200

Fix: switch the three secrets.GH_API_TOKEN references to the built-in secrets.GITHUB_TOKEN, matching what llms_txt_tests.yml already does successfully for the same script. The env var name GH_API_TOKEN is unchanged, so the build script needs no edit. GITHUB_TOKEN never expires and needs no rotation.

2. tim-kleyersburg.de false positive

The community PHP-client author link returns 200 in a browser but 403s GitHub-runner traffic (bot protection). Added it to the shared domainsToIgnore list, matching the existing convention for db-engines.com and similar.

Testing

  • Live-endpoint auth behavior confirmed (table above).
  • node --check on link-validator.js; the new ignore entry matches the target URL and not docs.weaviate.io.
  • This PR's own CI is the end-to-end test: the Update versions step should now pass (fix 1) and link validation should pass with the ignore in place (fix 2).

g-despot added 2 commits July 6, 2026 09:24
…site is live)

The community PHP client author link (docs/weaviate/client-libraries/community.md)
returns 200 in a browser but 403s GitHub-runner traffic via linkinator, failing
PR link validation. Add it to the shared domainsToIgnore list, matching the
existing convention for db-engines.com and similar bot-protected domains.
…ed PAT

The custom GH_API_TOKEN secret (a PAT) expired, so update-config-versions.js
got 401 Unauthorized from the GitHub API and failed the whole job at the
'Update versions from GitHub' step in both PR link validation and the
production Build-and-deploy workflow. Switch both to the built-in
secrets.GITHUB_TOKEN, matching llms_txt_tests.yml, which already fetches the
same public release listings successfully. The env var name GH_API_TOKEN is
unchanged so the script needs no edit; GITHUB_TOKEN never expires and needs
no rotation.

@orca-security-eu orca-security-eu Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Infrastructure as Code high 0   medium 0   low 0   info 0 View in Orca
Passed Passed SAST high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Vulnerabilities high 0   medium 0   low 0   info 0 View in Orca

@g-despot

g-despot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #464 — moved the same two commits onto testing-ci to run the full test suite (snippets/indexability/llms.txt/links/deploy) against the restored WCD cluster. Deleting this branch.

@g-despot g-despot closed this Jul 6, 2026
@g-despot g-despot deleted the fix/link-validator-ignore-tim-kleyersburg branch July 6, 2026 10:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant