ci: use admin token for cache push to bypass branch protection

[sbryngelson]

Summary

• The rebuild-cache job's push to master is blocked by GitHub repository rulesets (GH013). The default GITHUB_TOKEN doesn't have the Repository Admin role needed to bypass branch protection.
• Fix: use CACHE_PUSH_TOKEN secret (admin-scoped) for the push step only.

Follows up on #1320.

Test plan

• rebuild-cache job pushes cache to master successfully

🤖 Generated with Claude Code

[github-actions]

Claude Code Review

Head SHA: 88a1af7

Files changed:

• 1
• .github/workflows/test.yml

Summary:

• Adds CACHE_PUSH_TOKEN (admin-scoped secret) to the cache-push step to bypass branch protection rulesets blocking the default GITHUB_TOKEN.
• Embeds the token inline in the git push URL.
• Adds --no-verify to the automated cache commit (following up on ci: skip pre-commit hook on automated cache commit #1320).

Findings:

Token embedded in push URL (.github/workflows/test.yml, line ~172):

git push https://x-access-token:${CACHE_PUSH_TOKEN}@github.com/MFlowCode/MFC.git HEAD:refs/heads/master

GitHub Actions masks secret values in logs, but a token embedded in a URL can sometimes appear unmasked in git error messages, process lists, or if git surfaces the remote URL in diagnostics. A safer pattern avoids putting the token in a URL that git might cache or echo:

git remote set-url origin https://x-access-token:${CACHE_PUSH_TOKEN}@github.com/MFlowCode/MFC.git
git push origin HEAD:refs/heads/master

…or using git -c url.https://x-access-token:${CACHE_PUSH_TOKEN}@github.com/.insteadOf=https://github.com/ push origin HEAD:master. That said, the inline-URL pattern is common in CI and the practical risk here is low given the step's narrow if guard.

No guard for unset CACHE_PUSH_TOKEN (.github/workflows/test.yml):
If CACHE_PUSH_TOKEN is not configured as a repo secret (e.g., after a secret rotation or on a fresh fork), the push will silently fail with an opaque authentication error rather than a clear diagnostic. A short guard before the push would improve debuggability:

if [ -z "${CACHE_PUSH_TOKEN}" ]; then
  echo "::error::CACHE_PUSH_TOKEN secret is not set — cannot push cache to master."
  exit 1
fi

--no-verify on automated commit — appropriate here. The pre-commit hook is not meaningful for a bot committing a binary cache file, and this follows the intent of #1320.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 09f9327b-f68f-4f97-b30c-7a5bc0ef5e29

📥 Commits

Reviewing files that changed from the base of the PR and between d91e6ac and 88a1af7.

📒 Files selected for processing (1)

• .github/workflows/test.yml

---

📝 Walkthrough

Walkthrough

The .github/workflows/test.yml file has been modified to alter the "Commit Cache to Master" step. An environment variable CACHE_PUSH_TOKEN was added, the commit command was updated to include the --no-verify flag, and the git push mechanism was changed from a direct origin push to an HTTPS push using a token-based URL. Comments were added to document the use of the token and administrative privilege requirements.

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can customize the tone of the review comments and chat replies.

Configure the tone_instructions setting to customize the tone of the review comments and chat replies. For example, you can set the tone to Act like a strict teacher, Act like a pirate and more.

[Copilot]

Pull request overview

Updates the CI rebuild-cache workflow so the automated coverage-cache commit can be pushed to master despite branch protection rulesets, by switching the push authentication from the default GITHUB_TOKEN to an admin-scoped secret token.

Changes:

• Exposes CACHE_PUSH_TOKEN to the “Commit Cache to Master” step via workflow secrets.
• Pushes the cache commit to master using an authenticated HTTPS URL with the admin token.
• Adds --no-verify to the cache commit (skipping pre-commit hooks for this automated commit).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 45.01%. Comparing base (38a7b4b) to head (88a1af7).
⚠️ Report is 8 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1321      +/-   ##
==========================================
- Coverage   45.12%   45.01%   -0.11%     
==========================================
  Files          70       70              
  Lines       20554    20562       +8     
  Branches     1962     1962              
==========================================
- Hits         9274     9255      -19     
- Misses      10152    10179      +27     
  Partials     1128     1128              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.