Skip to content

chore(ci): remove dockerhub-description continue-on-error workaround + document scope#106

Merged
voyvodka merged 1 commit into
mainfrom
chore/dockerhub-token-scope
May 11, 2026
Merged

chore(ci): remove dockerhub-description continue-on-error workaround + document scope#106
voyvodka merged 1 commit into
mainfrom
chore/dockerhub-token-scope

Conversation

@voyvodka
Copy link
Copy Markdown
Owner

@voyvodka voyvodka commented May 11, 2026

Summary

Tur 6a — closes one of the two pre-B1 backlog items from .planning/TODO.md.

The Sync Docker Hub description step in release.yml has been carrying continue-on-error: true since the very first release because DOCKERHUB_TOKEN lacked the repo:write_metadata scope. The workaround masked a recoverable secret-misconfiguration: every release silently lost the Docker Hub overview sync.

Changes

  • .github/workflows/release.yml — removed continue-on-error: true, replaced the inline comment with a pointer to docs/RELEASE.md §1.
  • docs/RELEASE.md §1DOCKERHUB_TOKEN row now lists the three required scopes (repo:read, repo:write, repo:write_metadata) and where to set them (Docker Hub → Account Settings → Personal Access Tokens).

Behaviour after merge

  • Operators that have already widened their token scope: no observable change. The step now succeeds visibly instead of being skipped silently.
  • Operators that haven't widened scope: the next v* tag push will hard-fail at this step with a 403. That's the correct signal to widen the scope once and forget about it. The image push above this step is already committed at that point — the failure is recoverable without re-tagging (re-run the failed job after fixing the token).

Test plan

  • Workflow YAML syntax validates locally.
  • CHANGELOG entry under Unreleased > Build (and Documentation for the doc note).
  • CI green on PR (workflow change only fires on v* tags, so this PR's CI exercises the YAML parse only).

@voyvodka
chore(ci): remove dockerhub-description continue-on-error workaround …
aa69972 
…+ document scope

Closes the 'borç' from .planning/TODO.md: the Sync Docker Hub
description step in release.yml has been carrying continue-on-error:
true since the very first release because DOCKERHUB_TOKEN lacked
repo:write_metadata. The workaround masked a recoverable secret-
misconfiguration: every release silently lost the Docker Hub overview
sync, leaving the readme-filepath upload as a no-op.

Now:
- release.yml requires the step to succeed; a 403 surfaces as a
  CI failure on tag push, not a quiet skip.
- docs/RELEASE.md §1 lists the three required token scopes
  (repo:read, repo:write, repo:write_metadata) and where to set
  them on Docker Hub.

Operators that have already widened the token scope see no behaviour
change. Operators that hadn't will get a hard CI failure on the
next v* tag push, which is the correct signal to widen the scope
once and forget about it.
@voyvodka voyvodka added documentation Documentation improvements ci CI / GitHub Actions workflows docker Docker / container dependencies labels May 11, 2026
@voyvodka voyvodka enabled auto-merge (squash) May 11, 2026 08:35
@voyvodka voyvodka merged commit 1cbc4c1 into main May 11, 2026
7 checks passed
@voyvodka voyvodka deleted the chore/dockerhub-token-scope branch May 11, 2026 08:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci CI / GitHub Actions workflows docker Docker / container dependencies documentation Documentation improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@voyvodka