Problem

The auto-bump-sha workflow used secrets.RELEASE_PAT (openbot/dev GITHUB_TOKEN belonging to YiWang24). This Classic PAT has repo scope but YiWang24 lacks write access to YiAgent/OpenCI, causing all API write operations to return HTTP 404.

Root Cause

Even with repo scope on a Classic PAT, GitHub returns 404 (not 403) for write operations when the token user lacks collaborator permissions on the target repo.

Fix

Replace ${{ secrets.RELEASE_PAT || github.token }} with ${{ github.token }} for GH_TOKEN. The built-in github.token has full write access to the repo, and our API-based push doesn not need the workflow scope that git-over-HTTPS requires.

^{Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.}

Summary by CodeRabbit

• Chores
  • Simplified CI/CD workflow authentication to use GitHub's built-in token mechanism directly, eliminating the need for external token configuration.

Greptile Summary

This PR fixes the auto-bump-sha workflow by replacing secrets.RELEASE_PAT || github.token with github.token in both the API push step and the PR management step. The previous PAT belonged to a user without write access to this repo, causing all write operations to return HTTP 404.

• The workflow already declares permissions: contents: write and pull-requests: write, so github.token has the necessary scope for every API call the workflow makes (creating blobs, trees, commits, refs, and managing PRs).
• Two inline comments in the file (line 42-43 and the block above "Push commit via GitHub API") still reference "RELEASE_PAT or github.token" and should be updated to reflect the new, PAT-free approach.

Confidence Score: 4/5

Safe to merge — the fix correctly replaces a broken PAT with the built-in token, and the required contents:write / pull-requests:write permissions are already declared at the workflow level.

The functional change is correct and minimal. Two block comments inside the file still refer to RELEASE_PAT or github.token and remain misleading after the fix, but they do not affect runtime behavior.

.github/workflows/on-main-bump-sha.yml — specifically the two stale inline comments that still mention RELEASE_PAT.

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant GT as github.token
    participant API as GitHub Git Database API
    participant PR as Pull Request API

    GH->>GT: Resolve token (built-in, repo-scoped)
    Note over GT: contents:write + pull-requests:write
    GT-->>GH: Token with scoped permissions

    GH->>API: POST /git/blobs (upload file content)
    API-->>GH: blob SHA
    GH->>API: POST /git/trees (create new tree)
    API-->>GH: tree SHA
    GH->>API: POST /git/commits (create commit object)
    API-->>GH: commit SHA
    GH->>API: PATCH/POST /git/refs (update/create branch)
    API-->>GH: ref updated

    GH->>PR: gh pr list (find old bump PRs)
    PR-->>GH: list of open PRs
    GH->>PR: gh pr close (close superseded PRs)
    GH->>PR: gh pr create (open new bump PR)

_{Reviews (1): Last reviewed commit: "fix(ci): use github.token for bump-sha A..." | Re-trigger Greptile}