lupodevelop · lupodevelop · Nov 16, 2025 · Nov 16, 2025
diff --git a/.github/workflows/publish-gleam.yml b/.github/workflows/publish-gleam.yml
@@ -116,7 +116,7 @@ jobs:
             exit 1
           fi
 
-      - name: Verify HEX API key via HTTP
+      - name: Trust HEX API key presence (skip /api/me check)
         env:
           HEX_API_KEY: ${{ secrets.HEX_API_KEY }}
         run: |
@@ -125,16 +125,11 @@ jobs:
             echo "HEX_API_KEY secret is not set; aborting"
             exit 1
           fi
-          # ask for JSON explicitly
-          RES=$(curl -s -w "%{http_code}" -H "Authorization: Bearer ${HEX_API_KEY}" -H "Accept: application/vnd.hex+json; version=1.0" https://hex.pm/api/me)
-          HTTP=${RES: -3}
-          BODY=${RES:: -3}
-          echo "HTTP status: ${HTTP}"
-          if [ "${HTTP}" != "200" ]; then
-            echo "HEX API key invalid or API returned ${HTTP}. Response body preview:" 
-            echo "${BODY}" | sed -n '1,40p'
-            exit 1
-          fi
+          # Do not call the Hex API here (some environments return unexpected 404s).
+          # Treat the presence of a non-empty secret as 'valid' for CI publishing.
+          # Do not print the key or any masked preview in logs.
+          # Only confirm that the secret is present to avoid accidental leaks.
+          echo "HEX_API_KEY is set"
 
       - name: Check if version already published on Hex
         run: |