fix(ci): revert workflow file changes before git-push in bump-sha

[YiWang24]

Problem

The on-main-bump-sha workflow cannot push changes to .github/workflows/ files:

• Git Database API → HTTP 403 for github.token
• Git push → "refusing to allow a GitHub App to create or update workflow without workflows permission"
• workflows is not a valid permission scope in workflow syntax (only for GitHub Apps, not Actions workflows)

Root Cause

github.token cannot modify .github/workflows/ files, period. The required workflows permission doesn't exist in the workflow permissions: block.

Fix

After bump-self-sha.sh modifies all files containing the old SHA (including .github/workflows/*.yml), we restore workflow files with git checkout -- .github/workflows/ before committing. Only manifest.yml (and optionally actions/) is pushed.

This is safe because:

• External repos rely on manifest.yml for the pinned SHA (via resolve-openci)
• Internal workflow references in the OpenCI repo lag slightly behind — harmless since reusable workflows exist at old SHAs in repo history

Files Changed

• .github/workflows/on-main-bump-sha.yml — Add git checkout -- .github/workflows/ revert, update pathspec
• tests/actions/workflow-integrity.bats — Update test for new revert pattern

no-issue

---

^{Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.}

Greptile Summary

This PR fixes the on-main-bump-sha workflow's inability to push .github/workflows/ changes by reverting those changes before committing, since github.token cannot write to workflow files regardless of permissions.

• Adds git checkout -- .github/workflows/ immediately after bump-self-sha.sh runs, discarding workflow-file modifications before staging — this works because bump-self-sha.sh only edits files in-place without staging.
• Removes the non-existent workflows: write permission from the workflow's permissions: block and updates the git diff/git add pathspecs to exclude .github/workflows/.
• Updates the bats integrity test to assert the revert line is present instead of the old "includes actions/ in pathspec" assertion.

Confidence Score: 4/5

The change is safe to merge — it correctly addresses a real GitHub token limitation and the revert-before-stage approach is sound given bump-self-sha.sh never stages files itself.

The revert strategy is well-reasoned and works correctly because bump-self-sha.sh only modifies files in-place without staging, so git checkout -- .github/workflows/ cleanly undoes exactly the right set of changes. The Manage PRs step has a pre-existing condition edge case — when push-branch is skipped by the guard/check logic, steps.push-branch.outputs.skip is unset, so != 'true' evaluates true and Manage PRs could run with an empty $BRANCH variable — but this is unchanged by this PR.

No files require special attention; the workflow logic and the updated bats test are consistent with each other.

Important Files Changed

Filename	Overview
.github/workflows/on-main-bump-sha.yml	Adds git checkout -- .github/workflows/ revert before staging, removes invalid workflows: write permission, and narrows the pathspec to only manifest.yml + actions/.
tests/actions/workflow-integrity.bats	Test renamed and updated to assert the git checkout -- .github/workflows/ revert line is present in the workflow file; straightforward and correct.

Sequence Diagram

sequenceDiagram
    participant W as on-main-bump-sha workflow
    participant S as bump-self-sha.sh
    participant FS as Working Tree
    participant G as git
    participant GH as GitHub (origin)

    W->>G: checkout (fetch-depth: 0)
    W->>W: guard step — skip if bot-authored commit
    W->>W: check step — compare manifest SHA vs HEAD
    W->>S: bash scripts/bump-self-sha.sh
    S->>FS: perl -pi -e (update manifest.yml)
    S->>FS: "perl -pi -e (update .github/workflows/*.yml)"
    S->>FS: "perl -pi -e (update actions/*.yml)"
    Note over S,FS: Files modified in-place, nothing staged
    W->>G: git checkout -- .github/workflows/
    Note over G,FS: Revert workflow file changes (github.token cannot push them)
    W->>G: git diff --name-only HEAD -- manifest.yml actions/
    alt no changes remain
        W-->>W: "skip=true, exit early"
    else manifest.yml / actions/ changed
        W->>G: git config user.name/email
        W->>G: "git checkout -b chore/bump-self-sha-{sha}"
        W->>G: git add manifest.yml actions/
        W->>G: git commit
        W->>GH: "git push origin {branch}"
        W->>GH: gh pr create (or reuse existing)
    end

Loading

_{Reviews (1): Last reviewed commit: "fix(ci): revert workflow file changes be..." | Re-trigger Greptile}

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[coderabbitai]

Warning

Review limit reached

@YiWang24, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 39 minutes and 56 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 5243cb01-3042-4eb3-8d38-0d84da2d94c0

📥 Commits

Reviewing files that changed from the base of the PR and between 67361a4 and 04d0d71.

📒 Files selected for processing (2)

• .github/workflows/on-main-bump-sha.yml
• tests/actions/workflow-integrity.bats

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/bump-sha-revert-workflows

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[openbot-dev]

The diff correctly removes the inapplicable workflows: write permission and reverts workflow file changes before committing, since github.token cannot push to .github/workflows/. The test and documentation are updated consistently. One low-severity concern: bump-self-sha.sh still prints a stale git add command including .github/workflows/, which is misleading (though not executed by the workflow itself).