fix(ci): rpm metadata syntax + release write permission#36
Conversation
Two CI failures blocked the v2.4.0 release: 1. "Build .rpm" failed with "Field package.metadata.generate-rpm.recommends must be string or integer" — cargo-generate-rpm 0.21 expects dependency fields as a table section, not an inline array. Switch recommends to [package.metadata.generate-rpm.recommends] with per-package version constraints. Verified locally: produces rustcat-2.4.0-1.x86_64.rpm with Recommends: kdialog, plasma-systemmonitor and the icon in pixmaps/. 2. "Publish ... release" failed with "Resource not accessible by integration" — the workflow declared only pull-requests: write, which makes contents default to none, so action-gh-release couldn't upload assets. Add contents: write to the permissions block. Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Code Review
This pull request updates the Cargo.toml file to correctly format the recommended dependencies for cargo-generate-rpm as a table section instead of an inline array, conforming to the 0.21 documentation. There are no review comments, so I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d68ae5ff8f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # contents: write is required by softprops/action-gh-release to upload | ||
| # assets to a GitHub release. Specifying any permission makes all others | ||
| # default to none, so this must be listed explicitly. | ||
| contents: write |
There was a problem hiding this comment.
Limit release write permission to release jobs
Because this workflow also runs on pull_request_target, this top-level contents: write permission is granted to every PR-target build job, even though only the tag/release upload steps need repository-content write access. Those PR jobs still execute third-party actions and build scripts before the release-only publish steps are skipped, so any compromised action or PR-target execution path gets a token capable of mutating repository contents/releases; move this permission to release-only jobs or split publishing into a release-only workflow while keeping PR-target jobs read-only.
Useful? React with 👍 / 👎.
…rball The AppImage step had never run before (it sat after the failing rpm step), and linuxdeploy can be finicky in CI: it prefers a PNG icon over the raw .ico, and running an AppImage-from-AppImage needs FUSE which some runners gate. Rather than let a flaky AppImage block the core deb/rpm/tarball release artifacts: - Convert the icon to PNG via ImageMagick (magick v7 / convert v6) with a raw-.ico fallback. - Fall back to APPIMAGE_EXTRACT_AND_RUN when the nested AppImage can't run. - Mark the build step continue-on-error and the upload if-no-files-found: ignore / if: always(), so the Linux job still publishes deb/rpm/tarball when AppImage fails. Co-Authored-By: Claude <noreply@anthropic.com>
Fixes the two CI failures that blocked the v2.4.0 release (run 28845487454).
1.
Build .rpmfailedcargo-generate-rpm 0.21 expects dependency fields as a table section, not an inline array. Changed:
Verified locally with
cargo-generate-rpmv0.21.0: producesrustcat-2.4.0-1.x86_64.rpmcontaining/usr/bin/rust_cat,/usr/share/applications/rustcat.desktop,/usr/share/pixmaps/rustcat.ico, withRecommends: kdialog, plasma-systemmonitor.2.
Publish ... releasefailedThe workflow declared only
pull-requests: write, which makes every otherGITHUB_TOKENpermission default tonone— sosoftprops/action-gh-releasecouldn't upload assets. Addedcontents: writeto thepermissions:block (affects all three platform jobs' publish steps).Post-merge
After merge, the
v2.4.0tag needs to move to the fixed commit and the release re-triggered — I'll handle that (move tag per the repo's documented release workflow, thengh release editto fire therelease: editedevent).🤖 Generated with Claude Code