From 63c5e3791e00f0a6bd3ef659c7c2f67e5ec8c80f Mon Sep 17 00:00:00 2001 From: YiWang24 Date: Mon, 25 May 2026 22:12:49 -0400 Subject: [PATCH] fix(ci): use github.token for bump-sha API push The openbot/dev GITHUB_TOKEN (RELEASE_PAT) belongs to YiWang24 who lacks write access to YiAgent/OpenCI, causing 404 on all API write operations. The built-in github.token has full write access to the repo and works fine with the REST API approach since we no longer need the workflow scope that git-over-HTTPS requires. --- .github/workflows/on-main-bump-sha.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/on-main-bump-sha.yml b/.github/workflows/on-main-bump-sha.yml index 86f3b2c..b384df4 100644 --- a/.github/workflows/on-main-bump-sha.yml +++ b/.github/workflows/on-main-bump-sha.yml @@ -8,8 +8,8 @@ # that condition and creates a one-commit PR to fix it automatically. # # The commit is pushed via the GitHub Git Database API (blobs → trees → -# commits → refs), which only requires the `repo` OAuth scope. This -# deliberately sidesteps the `workflow` scope that git-over-HTTPS would +# commits → refs). This works with the built-in github.token (no PAT +# needed) and sidesteps the `workflow` scope that git-over-HTTPS would # require for pushing to .github/workflows/. name: Auto-bump self SHA @@ -113,7 +113,7 @@ jobs: id: push-api if: steps.guard.outputs.skip != 'true' && steps.check.outputs.skip != 'true' env: - GH_TOKEN: ${{ secrets.RELEASE_PAT || github.token }} + GH_TOKEN: ${{ github.token }} NEW_SHA: ${{ steps.check.outputs.new_sha }} OLD_SHA: ${{ steps.check.outputs.current_sha }} run: | @@ -178,7 +178,7 @@ jobs: - name: Manage PRs — close old, clean orphans, open new if: steps.push-api.outputs.skip != 'true' env: - GH_TOKEN: ${{ secrets.RELEASE_PAT || github.token }} + GH_TOKEN: ${{ github.token }} NEW_SHA: ${{ steps.check.outputs.new_sha }} OLD_SHA: ${{ steps.check.outputs.current_sha }} BRANCH: ${{ steps.push-api.outputs.branch }}