Skip to content

ci: inline Spec Kit catalog sync into release workflow#199

Merged
raccioly merged 1 commit into
mainfrom
fix/inline-catalog-sync
May 26, 2026
Merged

ci: inline Spec Kit catalog sync into release workflow#199
raccioly merged 1 commit into
mainfrom
fix/inline-catalog-sync

Conversation

@raccioly

Copy link
Copy Markdown
Owner

Summary

Permanently fixes the auto-sync to the Spec Kit community catalog. Every release since the workflow_run auth quirk surfaced has had its post-release sync silently fail with HTTP 401 on gh repo sync raccioly/spec-kit --source github/spec-kit, despite the PAT being valid (manual `workflow_dispatch` of the same workflow with the same secret succeeds every time).

What changed

  • release.yml — adds a final `sync-catalog` job after `publish-npm` / `publish-pypi` / `build-extension`. Same step logic as the standalone workflow, but now runs inside the release workflow's own context, where secret access is consistent.
  • sync-speckit-catalog.yml — drops the brittle `workflow_run` trigger and renames the workflow to "(Manual)". Keeps the `workflow_dispatch` path for one-off recovery, metadata-only refreshes, or retrying after upstream maintenance. Step logic untouched.

Why this is safe

  • No behavior change for end users. The PR opened against `github/spec-kit` has identical content. Only the trigger mechanism changes.
  • No new secrets, scopes, or permissions — same `SPECKIT_PR_TOKEN`, same `gh` commands.
  • No code changes, no test impact.
  • The standalone workflow is retained, so if the inlined job ever breaks, the manual path still works.

Verification

  • YAML parses cleanly (`ruby -ryaml -e "YAML.load_file(...)"`)
  • Diff is +136/-9 lines, isolated to two workflow files
  • Will be validated end-to-end by the next real release that this PR enables

Out of scope

  • The currently-stale catalog entry is already being updated by PR #2707 (filed via manual workflow_dispatch yesterday).

🤖 Generated with Claude Code

Fixes the auto-sync that has been failing on every release since the
workflow_run auth quirk surfaced. The sync job moves into release.yml
as a final step after publish-npm/publish-pypi/build-extension.

The previous workflow_run trigger consistently 401'd on
`gh repo sync raccioly/spec-kit --source github/spec-kit` even with a
valid SPECKIT_PR_TOKEN — `workflow_dispatch` runs of the same workflow
with the same secret succeed. Same-workflow secret access avoids the
quirk.

sync-speckit-catalog.yml is kept (renamed "(Manual)") with only the
workflow_dispatch trigger, for one-off recovery / metadata refreshes
outside the release flow. Step logic is unchanged in both places.

No behavior change for users — the resulting PR to github/spec-kit is
identical content, just now triggered atomically with the release
instead of via a brittle cross-workflow event.
@raccioly raccioly merged commit e698492 into main May 26, 2026
@raccioly raccioly deleted the fix/inline-catalog-sync branch May 26, 2026 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant