From b3175ed26938fe407e1498338de94ead77d0f1dd Mon Sep 17 00:00:00 2001
From: Randy Fay <randy@randyfay.com>
Date: Wed, 6 May 2026 10:42:53 -0600
Subject: [PATCH 1/2] fix: use correct secret name and add tmate debug support

Use OP_SERVICE_ACCOUNT_TOKEN (matching repo convention) instead of
PUSH_SERVICE_ACCOUNT_TOKEN, and add debug_enabled input with tmate
session step.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/push-image.yml | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/push-image.yml b/.github/workflows/push-image.yml
index ad6ec53..5ee38ea 100644
--- a/.github/workflows/push-image.yml
+++ b/.github/workflows/push-image.yml
@@ -4,12 +4,20 @@ name: Push Image
 # machines don't need cross-compilation. Triggered manually only.
 #
 # Required repository secrets:
-#   PUSH_SERVICE_ACCOUNT_TOKEN - 1Password service account token
+#   OP_SERVICE_ACCOUNT_TOKEN - 1Password service account token
 # Required repository variables:
 #   DOCKERHUB_USERNAME - Docker Hub username
+# Required 1Password item:
+#   op://push-secrets/DOCKERHUB_TOKEN/credential
 
 on:
   workflow_dispatch:
+    inputs:
+      debug_enabled:
+        description: 'Run the build with tmate set "debug_enabled"'
+        type: boolean
+        required: false
+        default: false
 
 permissions:
   contents: read
@@ -25,14 +33,21 @@ jobs:
         id: version
         run: echo "version=$(cat VERSION)" >> "$GITHUB_OUTPUT"
 
-      - name: Load 1password secret(s)
+      - name: Load 1Password secrets
         uses: 1password/load-secrets-action@v4
         with:
           export-env: true
         env:
-          OP_SERVICE_ACCOUNT_TOKEN: "${{ secrets.PUSH_SERVICE_ACCOUNT_TOKEN }}"
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           DOCKERHUB_TOKEN: "op://push-secrets/DOCKERHUB_TOKEN/credential"
 
+      - name: Setup tmate session
+        uses: mxschmitt/action-tmate@v3
+        with:
+          limit-access-to-actor: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+        if: ${{ github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
 

From 9bedcffa5c437d4962c80c4310e69fdabe7589e2 Mon Sep 17 00:00:00 2001
From: Randy Fay <randy@randyfay.com>
Date: Wed, 6 May 2026 10:56:05 -0600
Subject: [PATCH 2/2] fix: use PUSH_SERVICE_ACCOUNT_TOKEN for push-secrets
 vault access

OP_SERVICE_ACCOUNT_TOKEN only has access to test-secrets vault.
PUSH_SERVICE_ACCOUNT_TOKEN is the correct token for the push-secrets
vault where DOCKERHUB_TOKEN lives.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/push-image.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/push-image.yml b/.github/workflows/push-image.yml
index 5ee38ea..dc1ddd1 100644
--- a/.github/workflows/push-image.yml
+++ b/.github/workflows/push-image.yml
@@ -4,7 +4,7 @@ name: Push Image
 # machines don't need cross-compilation. Triggered manually only.
 #
 # Required repository secrets:
-#   OP_SERVICE_ACCOUNT_TOKEN - 1Password service account token
+#   PUSH_SERVICE_ACCOUNT_TOKEN - 1Password service account with push-secrets vault access
 # Required repository variables:
 #   DOCKERHUB_USERNAME - Docker Hub username
 # Required 1Password item:
@@ -38,7 +38,7 @@ jobs:
         with:
           export-env: true
         env:
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.PUSH_SERVICE_ACCOUNT_TOKEN }}
           DOCKERHUB_TOKEN: "op://push-secrets/DOCKERHUB_TOKEN/credential"
 
       - name: Setup tmate session