From 3a7c55ea6fbeda8ae38b86c60a22736228466956 Mon Sep 17 00:00:00 2001
From: Aaron Stainback <aaron_bond@yahoo.com>
Date: Fri, 24 Apr 2026 22:44:40 -0400
Subject: [PATCH] ci(gate): expose GITHUB_TOKEN to workflow so mise aqua
 backend hits authenticated rate limit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Observed failure pattern (#404 actionlint this tick, prior #398 #282
similar):

  mise ERROR Failed to install tools:
    aqua:astral-sh/uv@0.9
    aqua:koalaman/shellcheck@0.11.0
    aqua:rhysd/actionlint@1.7.12

  HTTP 403 Forbidden for api.github.com/repos/<owner>/<repo>/releases/tags/<ver>

Root cause: mise's `aqua:` backend fetches release-tag metadata from
the GitHub API. Unauthenticated requests hit the shared-runner-IP
rate limit (60/hr). With GITHUB_TOKEN exposed to the step, mise
authenticates and gets 5000/hr per token — plenty of headroom for
the 8-ish tools we install.

Set at workflow level instead of per-step so every install-toolchain
step in gate.yml benefits. Workflow-level `permissions: contents:
read` is unchanged, so the token carries the same minimal read
scope; mise only needs to read release-tag metadata anyway.

This replaces the previous "just retry" mitigation for transient
rate-limit failures (Otto-Mise-rate-limit-pattern in earlier ticks)
with a permanent fix.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/gate.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/gate.yml b/.github/workflows/gate.yml
index 811baae3..76d5bb27 100644
--- a/.github/workflows/gate.yml
+++ b/.github/workflows/gate.yml
@@ -45,6 +45,20 @@ on:
 permissions:
   contents: read
 
+# Workflow-level env: exposes GITHUB_TOKEN to every step so mise's
+# `aqua:` backend (used for uv / shellcheck / actionlint /
+# markdownlint-cli2 / etc) can authenticate its GitHub API calls.
+# Without a token, mise hits the unauthenticated rate limit
+# (60 requests per hour per IP, shared across all GitHub Actions
+# runners) and fails to fetch release tags with a 403. With the
+# token, the limit is 5000/hr per token. See
+# https://mise.jdx.dev/dev-tools/github-tokens.html for mise's
+# supported token sources. The token inherits the workflow's
+# `permissions: contents: read` — no write escalation; mise only
+# reads release-tag metadata.
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}