Anvil
fangorn/ex_git_objectstore public
ref:29413b3ac7c2c5d55a442d8557aea45ff568b4d0

ci: use auto-injected ANVIL_TOKEN from fangorn/anvil#46 (#10)

Replays a commit I pushed too late onto #9. The original commit was added to \`fix/release-ci-drop-broken-sanity-check\` **after** #9 was already merged, so it sat as a dangling commit that would never land on main. Cherry-picked onto a fresh branch off current main. ## Change Adds two things to the release step in \`.anvil.yml\`, both tied to the upcoming fangorn/anvil#57 feature: 1. **Documentation** explaining that \`ANVIL_TOKEN\` and \`ANVIL_SERVER_URL\` are auto-injected by the runner per job, with no manual secret needed, and that the scope is controlled server-side via \`PUT /api/v1/fangorn/ex_git_objectstore/ci/permissions\`. 2. **\`anvil auth status\`** called immediately after the CLI is downloaded, before \`anvil release create\` runs. This fails loud if the runner didn't inject the token, if the token is malformed, or if the server rejects it — with a clear error rather than the cryptic \"not logged in\" we saw before. ## Merge-order dependency This PR depends on fangorn/anvil#57 landing and being deployed first. Order: 1. Merge fangorn/anvil#57 (unified CI token) 2. Deploy anvil to prod (CI handles this) 3. As an admin, grant \`releases: write\` on this repo: curl -X PUT -H 'Authorization: Bearer \$YOUR_PAT' \\ -H 'Content-Type: application/json' \\ -d '{\"scopes\": {\"releases\": \"write\", \"contents\": \"read\"}}' \\ https://anvil.fangorn.io/api/v1/fangorn/ex_git_objectstore/ci/permissions 4. Merge this PR 5. Release step cuts \`2026.4.1\` (finally shipping \`blob_sizes/3\` from #22) If you merge this PR before fangorn/anvil#57 is deployed, the release step fails at \`anvil auth status\` with a clean \"not logged in\" — strictly better than the current cryptic error paths. ## Test plan - [x] \`.anvil.yml\` diff is additive only (no existing behavior removed) - [ ] CI can't meaningfully test this without the auto-injection in place, so verification waits until anvil#57 lands ## Related - Closes the work started in #9, which merged without this extra commit - Refs fangorn/anvil#46 (design), fangorn/anvil#57 (implementation) 🤖 Generated with [Claude Code](https://claude.com/claude-code)
SHA: 29413b3ac7c2c5d55a442d8557aea45ff568b4d0
Author: Anvil <noreply@anvil.fangorn.io>
Date: 2026-04-13 23:03
Parents: 9b1a04f
1 files changed +18 -0
Type
.anvil.yml +18 −0 
@@ -90,6 +90,24 @@
      curl -sL "https://anvil.fangorn.io/runner/download?os=$(uname -s)&arch=$(uname -m)" -o /usr/local/bin/anvil
      chmod +x /usr/local/bin/anvil
      # Credentials are auto-injected by the runner: ANVIL_TOKEN is a
      # per-job API token generated at dispatch and auto-revoked when
      # this job finishes, and ANVIL_SERVER_URL points at the server
      # that dispatched us. Both are part of the job environment; we
      # don't need to set up any secrets manually.
      #
      # The scopes granted to that token are controlled by org/repo
      # CI-permission settings — for this repo's release step to work,
      # an admin must grant `releases: write` via:
      #   PUT /api/v1/fangorn/ex_git_objectstore/ci/permissions
      # See fangorn/anvil#46 for the full design.
      #
      # `anvil auth status` fails loud if the runner didn't inject the
      # token, if it's malformed, or if the server rejects it — which
      # is exactly what we want before `anvil release create` tries to
      # use it downstream.
      /usr/local/bin/anvil auth status
      # Compute CalVer version
      VERSION=$(bash ci/release.sh)
      echo "Releasing version: $VERSION"