fix: Use the right token for the workflow

[sanbotto]

Also adding debugging steps to the workflows.

Summary by CodeRabbit

• Chores
  • Standardized CI/CD workflow status messaging for improved readability
  • Enhanced debugging capabilities in build and release pipelines
  • Refined image tagging automation logic for consistency
  • Strengthened authentication security in release workflows

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR updates two GitHub workflows to improve debugging and messaging consistency. The changes replace emoji status indicators with plain text messages across multiple validation and release steps in both build-and-push-images.yaml and create-release.yaml. Additional debug steps were introduced to display intermediate values for tags, event names, and metadata. The create-release workflow was modified to use AETHERLAY_GITHUB_TOKEN instead of GITHUB_TOKEN in specific steps, and conditional logic for image tagging was adjusted. No changes were made to exported or public entity declarations.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title focuses on token usage but the changeset includes extensive debug logging additions and emoji removal across two workflows, making it only partially representative of the overall changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/use-the-right-token-for-wf

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 29aab3d and 1ace2b6.

📒 Files selected for processing (2)

• .github/workflows/build-and-push-images.yaml (11 hunks)
• .github/workflows/create-release.yaml (8 hunks)

🔇 Additional comments (8)

.github/workflows/build-and-push-images.yaml (4)

78-82: Message cleanup looks good.

Replacing emoji with plain text improves readability and portability of logs.

Also applies to: 94-98, 104-104, 123-123, 129-129, 136-136, 147-150, 158-161, 163-163, 168-168

---

177-189: Debug steps improve observability.

The new debug steps help troubleshoot tag generation and conditional logic, particularly useful for diagnosing why "latest" is or isn't being applied.

Also applies to: 246-255, 271-275, 316-325, 341-345

---

262-262: Tag logic refinement is appropriate.

The added condition needs.parse_tags.outputs.has_custom_tags != 'true' prevents unintended "latest" tagging when custom tags are explicitly provided, which aligns with container image versioning best practices. The string comparison matches the output format from parse_tags (lines 209, 212).

Also applies to: 332-332

---

244-244: Clarify PR objective regarding token changes.

The PR title references fixing "the right token," but this file already uses secrets.AETHERLAY_GITHUB_TOKEN at lines 244 and 314. The AI summary indicates that create-release.yaml was also modified to use this token, but that file is not provided for review.

Please confirm:

1. Are these token usages already the intended state?
2. Is the token fix part of changes in the non-provided create-release.yaml?

Also applies to: 314-314

.github/workflows/create-release.yaml (4)

31-34: Message refactoring improves clarity.

The replacement of emoji-style indicators with plain text messages across validation and error steps improves log readability and consistency. The messages are now more descriptive and provide better context (e.g., "VERSION is greater than latest release" instead of an emoji indicator).

No issues identified with the updated messaging logic or error paths.

Also applies to: 43-45, 54-55, 63-63, 82-82, 88-88, 95-95, 102-102, 161-161, 165-165

---

179-189: Debug step aids troubleshooting.

The new debug step provides explicit output of the tags being passed to the build workflow, including a breakdown of individual tags. This is helpful for diagnosing tag-related issues during workflow execution.

---

145-146: Verify permissions declaration aligns with token capabilities.

The new permissions block declares contents: write, which is required for creating tags and releases. Ensure that the AETHERLAY_GITHUB_TOKEN has at least these permissions. If the custom token has broader or narrower permissions than intended, it may cause silent failures or over-privileged access.

Confirm that AETHERLAY_GITHUB_TOKEN includes contents: write permission in its configuration (typically via GitHub App settings or fine-grained personal access token scopes).

---

152-153: Verify that AETHERLAY_GITHUB_TOKEN secret exists and has required permissions.

The workflow uses AETHERLAY_GITHUB_TOKEN instead of the default GITHUB_TOKEN in both the checkout step (line 152) and the release creation step (line 177). Ensure:

1. The secret AETHERLAY_GITHUB_TOKEN exists in the repository's secrets configuration.
2. The token has at least contents: write permission to create tags and releases (consistent with the permissions block on lines 145-146).
3. Using persist-credentials: true (line 153) with a custom token retains credentials for subsequent git operations; verify this is intentional and doesn't introduce security risks.

Without this configuration, the workflow will fail at the checkout step.

Also applies to: 177

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}