Anvil
fangorn/ex_git_objectstore
ref:main

ci: use auto-injected ANVIL_TOKEN from fangorn/anvil#46 #10

merged colechristensen cole.christensen@gmail.com wants to merge ci/use-injected-anvil-token into main
No CI

Replays a commit I pushed too late onto #9. The original commit was added to `fix/release-ci-drop-broken-sanity-check` after #9 was already merged, so it sat as a dangling commit that would never land on main. Cherry-picked onto a fresh branch off current main.

Change

Adds two things to the release step in `.anvil.yml`, both tied to the upcoming fangorn/anvil#57 feature:

  1. Documentation explaining that `ANVIL_TOKEN` and `ANVIL_SERVER_URL` are auto-injected by the runner per job, with no manual secret needed, and that the scope is controlled server-side via `PUT /api/v1/fangorn/ex_git_objectstore/ci/permissions`.

  2. `anvil auth status` called immediately after the CLI is downloaded, before `anvil release create` runs. This fails loud if the runner didn’t inject the token, if the token is malformed, or if the server rejects it — with a clear error rather than the cryptic "not logged in" we saw before.

Merge-order dependency

This PR depends on fangorn/anvil#57 landing and being deployed first. Order:

  1. Merge fangorn/anvil#57 (unified CI token)

  2. Deploy anvil to prod (CI handles this)

  3. As an admin, grant `releases: write` on this repo:

    curl -X PUT -H 'Authorization: Bearer \$YOUR_PAT' \\

         -H 'Content-Type: application/json' \\

         -d '{\"scopes\": {\"releases\": \"write\", \"contents\": \"read\"}}' \\

         https://anvil.fangorn.io/api/v1/fangorn/ex_git_objectstore/ci/permissions

  4. Merge this PR

  5. Release step cuts `2026.4.1` (finally shipping `blob_sizes/3` from #22)

If you merge this PR before fangorn/anvil#57 is deployed, the release step fails at `anvil auth status` with a clean "not logged in" — strictly better than the current cryptic error paths.

Test plan

  • `.anvil.yml` diff is additive only (no existing behavior removed)
  • CI can’t meaningfully test this without the auto-injection in place, so verification waits until anvil#57 lands

Related

🤖 Generated with Claude Code

Created Apr 13, 2026 at 22:18 UTC | Merged Apr 13, 2026 at 23:04 UTC by colechristensen cole.christensen@gmail.com