fix(ci): use github.token for bump-sha API push

[YiWang24]

Problem

The auto-bump-sha workflow used secrets.RELEASE_PAT (openbot/dev GITHUB_TOKEN belonging to YiWang24). This Classic PAT has repo scope but YiWang24 lacks write access to YiAgent/OpenCI, causing all API write operations to return HTTP 404.

Root Cause

Even with repo scope on a Classic PAT, GitHub returns 404 (not 403) for write operations when the token user lacks collaborator permissions on the target repo.

Fix

Replace ${{ secrets.RELEASE_PAT || github.token }} with ${{ github.token }} for GH_TOKEN. The built-in github.token has full write access to the repo, and our API-based push doesn not need the workflow scope that git-over-HTTPS requires.

---

^{Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.}

Summary by CodeRabbit

• Chores
  • Simplified CI/CD workflow authentication to use GitHub's built-in token mechanism directly, eliminating the need for external token configuration.

Greptile Summary

This PR fixes the auto-bump-sha workflow by replacing secrets.RELEASE_PAT || github.token with github.token in both the API push step and the PR management step. The previous PAT belonged to a user without write access to this repo, causing all write operations to return HTTP 404.

• The workflow already declares permissions: contents: write and pull-requests: write, so github.token has the necessary scope for every API call the workflow makes (creating blobs, trees, commits, refs, and managing PRs).
• Two inline comments in the file (line 42-43 and the block above "Push commit via GitHub API") still reference "RELEASE_PAT or github.token" and should be updated to reflect the new, PAT-free approach.

Confidence Score: 4/5

Safe to merge — the fix correctly replaces a broken PAT with the built-in token, and the required contents:write / pull-requests:write permissions are already declared at the workflow level.

The functional change is correct and minimal. Two block comments inside the file still refer to RELEASE_PAT or github.token and remain misleading after the fix, but they do not affect runtime behavior.

.github/workflows/on-main-bump-sha.yml — specifically the two stale inline comments that still mention RELEASE_PAT.

Important Files Changed

Filename	Overview
.github/workflows/on-main-bump-sha.yml	Replaces `secrets.RELEASE_PAT

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant GT as github.token
    participant API as GitHub Git Database API
    participant PR as Pull Request API

    GH->>GT: Resolve token (built-in, repo-scoped)
    Note over GT: contents:write + pull-requests:write
    GT-->>GH: Token with scoped permissions

    GH->>API: POST /git/blobs (upload file content)
    API-->>GH: blob SHA
    GH->>API: POST /git/trees (create new tree)
    API-->>GH: tree SHA
    GH->>API: POST /git/commits (create commit object)
    API-->>GH: commit SHA
    GH->>API: PATCH/POST /git/refs (update/create branch)
    API-->>GH: ref updated

    GH->>PR: gh pr list (find old bump PRs)
    PR-->>GH: list of open PRs
    GH->>PR: gh pr close (close superseded PRs)
    GH->>PR: gh pr create (open new bump PR)

Loading

Comments Outside Diff (2)

1. .github/workflows/on-main-bump-sha.yml, line 42-43 (link)

   The inline comment on line 43 still references RELEASE_PAT or github.token, which is now stale after this change.

2. .github/workflows/on-main-bump-sha.yml, line 107-111 (link)

   The block comment above the "Push commit via GitHub API" step still mentions RELEASE_PAT or github.token on the last line, which is now stale.

_{Reviews (1): Last reviewed commit: "fix(ci): use github.token for bump-sha A..." | Re-trigger Greptile}

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: a7d5bf36-bc66-4c31-94c0-d78284f93064

📥 Commits

Reviewing files that changed from the base of the PR and between 80279ad and 63c5e37.

📒 Files selected for processing (1)

• .github/workflows/on-main-bump-sha.yml

---

📝 Walkthrough

Walkthrough

This PR simplifies GitHub API authentication in the on-main-bump-sha workflow by removing the secrets.RELEASE_PAT fallback and using github.token directly. Documentation is updated to reflect this approach, and two workflow steps that call GitHub APIs are modified to use the simplified credential.

Changes

GitHub API Authentication Simplification

Layer / File(s)	Summary
Simplify GitHub API authentication to use github.token directly .github/workflows/on-main-bump-sha.yml	Workflow header documentation is clarified to state that the Git Database API approach works with github.token without requiring a PAT. The GH_TOKEN environment variable in both the "Push commit via GitHub API" step and the "Manage PRs — close old, clean orphans, open new" step is changed from secrets.RELEASE_PAT || github.token to direct ${{ github.token }} usage.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• YiAgent/OpenCI#71: Both PRs modify .github/workflows/on-main-bump-sha.yml to change the GH_TOKEN and github.token/secrets.RELEASE_PAT wiring used by the auto-bump GitHub API and PR-creation steps.
• YiAgent/OpenCI#141: Both PRs modify the .github/workflows/on-main-bump-sha.yml bump and PR automation steps; #141 adds conditional gating while this PR simplifies token authentication.

Suggested labels

area:ci

Poem

🐰 No secrets hiding in the workflow's way,
Just github.token shining bright today,
The PAT is gone, the path is clear,
Simpler auth, and we all cheer! 🎉

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/use-github-token-for-bump-api

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openbot-dev]

The PR removes the RELEASE_PAT secret fallback in favor of using only github.token for the Git Database API and PR management steps.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud