Copilot commented on code in PR #10228:
URL: https://github.com/apache/gravitino/pull/10228#discussion_r2887389466
##########
.github/workflows/cherry-pick-branch.yml:
##########
@@ -44,7 +44,10 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0
- token: ${{ secrets.GITHUB_TOKEN }}
+ # A PAT (or GitHub App token) is required so that the created PR
+ # triggers downstream CI workflows. GITHUB_TOKEN-created events
+ # are intentionally ignored by GitHub to prevent recursive runs.
+ token: ${{ secrets.CHERRY_PICK_TOKEN || secrets.GITHUB_TOKEN }}
Review Comment:
`CHERRY_PICK_TOKEN` is referenced, but this reusable workflow doesn’t
declare it under `on.workflow_call.secrets`. Without declaring it, callers
can’t explicitly pass this secret (and may be forced onto the `GITHUB_TOKEN`
fallback, which won’t trigger downstream CI). Declare `CHERRY_PICK_TOKEN` as an
optional secret in the reusable workflow interface so it can be provided
reliably.
##########
.github/workflows/cherry-pick-branch.yml:
##########
@@ -88,7 +91,7 @@ jobs:
- name: Create Pull Request
if: steps.cherry-pick.outputs.branch-name != ''
env:
- GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GH_TOKEN: ${{ secrets.CHERRY_PICK_TOKEN || secrets.GITHUB_TOKEN }}
Review Comment:
This workflow needs write privileges to push the cherry-pick branch and open
a PR. If the expression falls back to `secrets.GITHUB_TOKEN`, the run can fail
(or behave inconsistently across repos) unless the workflow explicitly requests
`permissions` like `contents: write` and `pull-requests: write`. Consider
setting those permissions to avoid relying on repository defaults.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
