fix(scarab): use GHCR_TRAINER_PAT for sovereign-scarab GHCR login#226
Open
gHashTag wants to merge 3 commits into
Open
fix(scarab): use GHCR_TRAINER_PAT for sovereign-scarab GHCR login#226gHashTag wants to merge 3 commits into
gHashTag wants to merge 3 commits into
Conversation
added 3 commits
May 18, 2026 08:14
The merged GITHUB_TOKEN path still fails on first push of ghcr.io/ghashtag/sovereign-scarab with permission_denied: write_package (run 26019864970), even after repo default workflow permissions were set to write and the OCI image.source label was added (PRs #223-#225). The trainer publish workflow has been pushing ghcr.io/ghashtag/trios-trainer-igla on the same ghashtag/* user namespace successfully using the cross-repo PAT secret GHCR_TRAINER_PAT. Reuse it here — minimal unblock, GHCR-side only. Read-only against Railway: no Railway API / PAT / variableUpsert / redeploy / delete. ADR-0042 scarab control plane (ssot.scarab_strategy) is untouched. Dockerfile.scarab target and --bin scarab build unchanged. Regression guards added: - sovereign-scarab.yml must use secrets.GHCR_TRAINER_PAT - sovereign-scarab.yml must NOT use secrets.GITHUB_TOKEN - docker-trainer.yml remains the canonical PAT anchor Anchor: phi^2 + phi^-2 = 3. Agent: GENERAL
Anchor: phi^2 + phi^-2 = 3. Agent: GENERAL
The existing read-only guard does a substring match on the workflow YAML, so even a comment that names `variableUpsert` etc. trips the assertion. Rephrase the comment to keep the intent (no Railway control-plane writes) without naming the forbidden symbols. Anchor: phi^2 + phi^-2 = 3. Agent: GENERAL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sovereign-scarabGHCR login step to the cross-repo PATsecrets.GHCR_TRAINER_PAT— the same proven-good credential the trainer publish workflow (docker-trainer.yml) uses to pushghcr.io/ghashtag/trios-trainer-iglaon the sameghashtag/*user namespace.GITHUB_TOKENlogin still fails on first push ofghcr.io/ghashtag/sovereign-scarabwithpermission_denied: write_package(workflow run 26019864970) even after repo default workflow permissions were set to write and the OCIimage.sourcelabel was added (PRs fix(scarab): bump Dockerfile.scarab to rust:1.90 for edition2024 deps #223-fix(scarab): link GHCR package to repo via OCI image.source label #225). Reusing the trainer PAT is the minimal unblock — GHCR-side only.crates/trios-igla-race/tests/scarab_runtime_invariants.rs:sovereign-scarab.ymlmust usesecrets.GHCR_TRAINER_PATsovereign-scarab.ymlmust NOT usesecrets.GITHUB_TOKENdocker-trainer.ymlremains the canonical PAT credential anchorNot changed (ADR-0042 invariants preserved)
variableUpsert/serviceInstanceRedeploy/serviceDeleteintroduced. Scarab control plane is still SSOT (ssot.scarab_strategy), not Railway GraphQL.crates/trios-igla-race/Dockerfile.scarab, which still builds--bin scarab -p trios-igla-race.provenance: false/sbom: false/ OCIimage.sourcelabel / both-levelpackages: writedeclarations all preserved (existing guards keep them locked).Testing
python3 -c "import yaml; yaml.safe_load(...)").secrets.GITHUB_TOKENreferences remain (grep).scarab_runtime_invariantsintegration suite — new guardssovereign_scarab_workflow_uses_ghcr_trainer_pat_for_loginandtrainer_publish_workflow_anchors_ghcr_trainer_pat_credentialmust pass alongside the existing suite.sovereign-scarabworkflow run onmainafter merge pushesghcr.io/ghashtag/sovereign-scarab:latestwithoutpermission_denied: write_package.Anchor:
phi^2 + phi^-2 = 3.Agent: GENERAL