Refresh Existing Promotion Releases

AnastaZIuk · AnastaZIuk · commit 465b4a4f57d7 · 2026-03-15T18:31:24.000+01:00
diff --git a/.github/workflows/promote-nsc-channel.yml b/.github/workflows/promote-nsc-channel.yml
@@ -119,7 +119,8 @@ jobs:
 
       - name: Publish release to manifest backend
         env:
-          GH_TOKEN: ${{ secrets.CR_PAT }}
+          CR_PAT: ${{ secrets.CR_PAT }}
+          READ_PAT: ${{ secrets.READ_PAT }}
           RELEASE_TAG: ${{ steps.source-run.outputs.release_tag }}
           SOURCE_SHA: ${{ steps.source-run.outputs.source_sha }}
           SOURCE_BRANCH: ${{ steps.source-run.outputs.source_branch }}
@@ -136,6 +137,19 @@ jobs:
 
           source_repo_url="https://github.com/${SOURCE_REPO}"
           source_commit_url="${source_repo_url}/commit/${SOURCE_SHA}"
+          updated_at="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+          release_token_candidates=()
+          if [[ -n "${CR_PAT}" ]]; then
+            release_token_candidates+=("${CR_PAT}")
+          fi
+          if [[ -n "${READ_PAT}" && "${READ_PAT}" != "${CR_PAT}" ]]; then
+            release_token_candidates+=("${READ_PAT}")
+          fi
+          if [[ "${#release_token_candidates[@]}" -eq 0 ]]; then
+            echo "No token is available for manifest backend release operations." >&2
+            exit 1
+          fi
+
           notes_file="${RUNNER_TEMP}/nsc-release-notes.md"
           cat > "${notes_file}" <<EOF
           Promoted NSC payload from [\`${SOURCE_REPO}\`](${source_repo_url}).
@@ -144,18 +158,40 @@ jobs:
           - source branch: \`${SOURCE_BRANCH}\`
           - source event: \`${SOURCE_EVENT}\`
           - source run: [\`${RUN_ID}\`](${RUN_URL})
+
+          Updated at \`${updated_at}\`.
           EOF
 
           release_exists=false
-          if gh release view "${RELEASE_TAG}" --repo "${ASSET_REPO}" >/dev/null 2>&1; then
-            release_exists=true
-          fi
+          release_id=""
+          release_token="${release_token_candidates[0]}"
+          for candidate in "${release_token_candidates[@]}"; do
+            if release_json="$(GH_TOKEN="${candidate}" gh api "repos/${ASSET_REPO}/releases/tags/${RELEASE_TAG}" 2>/dev/null)"; then
+              release_exists=true
+              release_id="$(jq -r '.id' <<<"${release_json}")"
+              release_token="${candidate}"
+              break
+            fi
+          done
+          export GH_TOKEN="${release_token}"
 
           if [[ "${release_exists}" == "false" ]]; then
-            gh release create "${RELEASE_TAG}" \
-              --repo "${ASSET_REPO}" \
-              --title "${RELEASE_TAG}" \
-              --notes-file "${notes_file}"
+            release_created=false
+            for candidate in "${release_token_candidates[@]}"; do
+              if GH_TOKEN="${candidate}" gh release create "${RELEASE_TAG}" \
+                --repo "${ASSET_REPO}" \
+                --title "${RELEASE_TAG}" \
+                --notes-file "${notes_file}"; then
+                release_token="${candidate}"
+                export GH_TOKEN="${release_token}"
+                release_created=true
+                break
+              fi
+            done
+            if [[ "${release_created}" != "true" ]]; then
+              echo "Failed to create release ${RELEASE_TAG} in ${ASSET_REPO}." >&2
+              exit 1
+            fi
 
             mapfile -d '' payload_assets < <(find "${RUNNER_TEMP}/nsc-payload" -maxdepth 1 -type f -print0)
             if [[ "${#payload_assets[@]}" -eq 0 ]]; then
@@ -167,11 +203,26 @@ jobs:
             gh release upload "${RELEASE_TAG}" "${payload_assets[@]}" --repo "${ASSET_REPO}"
           else
             echo "Release ${RELEASE_TAG} already exists in ${ASSET_REPO}. Reusing immutable release."
-            if ! gh release edit "${RELEASE_TAG}" \
-              --repo "${ASSET_REPO}" \
-              --title "${RELEASE_TAG}" \
-              --notes-file "${notes_file}"; then
-              echo "Skipping release note refresh for existing ${RELEASE_TAG}." >&2
+            patch_file="${RUNNER_TEMP}/nsc-release-patch.json"
+            jq -n \
+              --arg name "${RELEASE_TAG}" \
+              --rawfile body "${notes_file}" \
+              '{name:$name, body:$body}' > "${patch_file}"
+            release_refreshed=false
+            for candidate in "${release_token_candidates[@]}"; do
+              if GH_TOKEN="${candidate}" gh api \
+                --method PATCH \
+                "repos/${ASSET_REPO}/releases/${release_id}" \
+                --input "${patch_file}" >/dev/null 2>&1; then
+                release_token="${candidate}"
+                export GH_TOKEN="${release_token}"
+                release_refreshed=true
+                break
+              fi
+            done
+            if [[ "${release_refreshed}" != "true" ]]; then
+              echo "Failed to refresh notes for existing ${RELEASE_TAG}. Provide a token with release edit permissions." >&2
+              exit 1
             fi
           fi
 
