Fix GitHub Actions token authentication for release verification

SFARPak · SFARPak · commit 3894378a5001 · 2025-10-14T18:17:37.000+05:00
- Add id-token: write permission to verify-assets job
- Update token validation to use repository endpoint instead of user endpoint for GitHub Actions
- Fixes 403 'Resource not accessible by integration' error
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,27 +9,30 @@ name: Release app
 on:
   workflow_dispatch:
   push:
-    branches: [ main, release/** ]
+    branches: [main, release/**]
 jobs:
   build:
     environment: release
+    permissions:
+      contents: write
     strategy:
       # Uncomment max-parallel to prevent race condition (where multiple releases are
       # created concurrently). Typically though, we'll create a release manually ahead of time
       # which prevents the race.
       # max-parallel: 1
       matrix:
         # See https://github.com/SFARPak/dyad/issues/96
-        os: [
+        os:
+          [
             { name: "windows", image: "windows-latest" },
             { name: "linux", image: "ubuntu-22.04" },
             { name: "macos-intel", image: "macos-13" },
             { name: "macos", image: "macos-latest" },
           ]
     runs-on: ${{ matrix.os.image }}
     # env:
-      # CSC_LINK: ${{ secrets.CSC_LINK }}
-      # CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+    # CSC_LINK: ${{ secrets.CSC_LINK }}
+    # CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
     steps:
       - name: Github checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -81,7 +84,7 @@ jobs:
       #   run: |
       #     smctl windows certsync --keypair-alias=${{ secrets.DIGICERT_KEYPAIR_ALIAS }}
       #   shell: bash
-        # Publish (all platforms)
+      # Publish (all platforms)
       - name: Publish app
         env:
           NODE_OPTIONS: "--max-old-space-size=4096"
@@ -102,47 +105,8 @@ jobs:
       contents: read
       packages: read
       actions: read
+      id-token: write
     steps:
-      - name: Check token permissions
-        run: |
-          echo "🔐 Checking GITHUB_TOKEN permissions..."
-          echo "📡 Making API call to: https://api.github.com/user"
-
-          # Capture full response for detailed logging
-          RESPONSE=$(curl -s -w "\nHTTP_STATUS:%{http_code}\n" \
-               -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-               -H "Accept: application/vnd.github.v3+json" \
-               -H "User-Agent: dyad-release-workflow" \
-               https://api.github.com/user)
-
-          # Extract status code
-          HTTP_STATUS=$(echo "$RESPONSE" | grep "HTTP_STATUS:" | cut -d: -f2)
-          JSON_RESPONSE=$(echo "$RESPONSE" | sed '/HTTP_STATUS:/d')
-
-          echo "📡 API Response Status: $HTTP_STATUS"
-
-          # Log token scopes and permissions from headers (if available)
-          echo "🔑 Token scopes: $(curl -s -I \
-               -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-               -H "Accept: application/vnd.github.v3+json" \
-               https://api.github.com/user | grep -i "x-oauth-scopes:" | sed 's/.*: //' || echo "Not available")"
-
-          echo "📋 Accepted permissions: $(curl -s -I \
-               -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-               -H "Accept: application/vnd.github.v3+json" \
-               https://api.github.com/user | grep -i "x-accepted-github-permissions:" | sed 's/.*: //' || echo "Not available")"
-
-          if [ "$HTTP_STATUS" -eq 200 ]; then
-            echo "✅ Token authentication successful"
-            echo "👤 User data:"
-            echo "$JSON_RESPONSE" | jq '.login // "Not available"'
-            echo "📋 Permissions:"
-            echo "$JSON_RESPONSE" | jq '.permissions // empty'
-          else
-            echo "❌ Token authentication failed with status: $HTTP_STATUS"
-            echo "🔍 Response body: $JSON_RESPONSE"
-            exit 1
-          fi
       - name: Github checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Use Node.js
diff --git a/scripts/verify-release-assets.js b/scripts/verify-release-assets.js
@@ -51,7 +51,32 @@ async function verifyReleaseAssets() {
       const userData = await userCheck.json();
       console.log(`✅ Authenticated as: ${userData.login}`);
     } else {
-      console.log("🏃 Running inside GitHub Actions — skipping token permission check");
+      console.log("🏃 Running inside GitHub Actions — no user authentication check needed");
+
+      // Test API access by fetching org/user info
+      try {
+        const appCheck = await fetch(`https://api.github.com/repos/${owner}/${repo}`, {
+          headers: {
+            Authorization: `token ${token}`,
+            Accept: "application/vnd.github.v3+json",
+            "User-Agent": "dyad-release-verifier",
+          },
+        });
+
+        if (!appCheck.ok) {
+          const body = await appCheck.text();
+          console.error("❌ Token authentication failed!");
+          console.error(`Status: ${appCheck.status} ${appCheck.statusText}`);
+          console.error(`Response body: ${body}`);
+          process.exit(1);
+        }
+
+        const repoData = await appCheck.json();
+        console.log(`✅ Token authenticated for repository: ${repoData.full_name}`);
+      } catch (error) {
+        console.error("❌ Error testing token authentication:", error.message);
+        process.exit(1);
+      }
     }
 
     // --- Fetch releases with retry logic ---
