fix(ci): use RELEASE_PAT for git-push in bump-sha workflow

[YiWang24]

Problem

github.token cannot push .github/workflows/ changes. Our previous workaround (reverting workflow files) caused ci-self-test verify-sha-consistency failures because workflow SHA references lag behind manifest.yml.

Fix

Use RELEASE_PAT (a classic PAT with workflow OAuth scope) for the git-push step by overriding the remote URL:

git remote set-url origin "https://x-access-token:${RELEASE_PAT}@github.com/${GITHUB_REPOSITORY}.git"

This means all SHA references stay in sync — no more verify-sha-consistency failures.

## Other changes carried forward

• Guard condition fix: steps.guard.outputs.skip check in Manage PRs step
• Auto-merge: gh pr merge --auto --squash after PR creation

no-issue

---

^{Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.}

Greptile Summary

This PR replaces the previous workaround (reverting .github/workflows/ files before committing) with a cleaner approach: overriding the git remote URL to use RELEASE_PAT (a classic PAT with workflow OAuth scope) so all SHA references — including workflow files — are committed and pushed together.

• Core change (on-main-bump-sha.yml): Removes the git checkout -- .github/workflows/ revert step; instead injects the PAT into the remote URL just before git push, and now stages .github/workflows/ alongside manifest.yml and actions/.
• Guard condition fix: The "Manage PRs" step's if: condition now correctly gates on steps.push-branch.outputs.skip.
• Auto-merge: gh pr merge --auto --squash is added after PR creation so approved bump PRs merge without manual intervention.
• Test update (workflow-integrity.bats): Replaces the old revert-grep with a check for the new PAT remote-URL pattern.

Confidence Score: 4/5

Safe to merge with minor hardening — the credential-in-remote-URL lingers after the push and an empty RELEASE_PAT secret is not caught early.

The core approach is sound and correctly addresses the root cause. Minor hardening opportunities exist around credential lifetime and missing-secret detection, but neither blocks correct operation when the secret is properly configured.

on-main-bump-sha.yml — specifically the push block (remote URL credential lifetime) and the auto-merge section (stale comment).

Security Review

• Credential lingering in git remote URL (on-main-bump-sha.yml, lines 148–150): RELEASE_PAT is embedded in the remote URL via git remote set-url and is never cleared after the push. GitHub Actions masks the raw token value in logs, but the URL remains in the git config for the rest of the job. Resetting the remote URL to the unauthenticated form immediately after the push is recommended.
• Auto-merge now applies to PRs containing workflow file changes: Previously auto-merged PRs only contained manifest.yml changes; they now also include .github/workflows/ modifications. The scope is constrained to SHA reference substitutions, so practical risk is low, but branch protection rules should be verified to cover this automated path.

Important Files Changed

Filename	Overview
.github/workflows/on-main-bump-sha.yml	Switches from reverting workflow files to using RELEASE_PAT for git push; now commits .github/workflows/ changes directly. Introduces a credential-in-remote-URL pattern that lingers after the push step, a missing guard for empty RELEASE_PAT, and a stale comment that still says "only manifest.yml".
tests/actions/workflow-integrity.bats	Test updated to verify the new RELEASE_PAT remote-URL override pattern; grep pattern correctly matches the literal string in the workflow file.

Comments Outside Diff (1)

1. .github/workflows/on-main-bump-sha.yml, line 213-216 (link)

   The comment still says "only changes manifest.yml", but the bump commit now also stages .github/workflows/ changes. This stale comment will mislead anyone auditing this workflow later.

_{Reviews (1): Last reviewed commit: "fix(ci): use RELEASE_PAT for git-push in..." | Re-trigger Greptile}

Greptile also left 2 inline comments on this PR.

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[coderabbitai]

Warning

Review limit reached

@YiWang24, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 17 minutes and 13 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d6432ea9-3c7c-4f11-8c29-28a0961e3765

📥 Commits

Reviewing files that changed from the base of the PR and between 95208a1 and ebdcaa6.

📒 Files selected for processing (2)

• .github/workflows/on-main-bump-sha.yml
• tests/actions/workflow-integrity.bats

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/bump-sha-use-release-pat

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[openbot-dev]

The diff switches from reverting workflow files before push to using RELEASE_PAT for authentication, which is a sound approach but has a few hygiene/safety concerns.

Repo-wide notes:

• medium — .github/workflows/on-main-bump-sha.yml: The PAT is embedded directly in the remote URL. If set -euo pipefail is off or git push leaks the URL in error output, the token could appear in GitHub Actions logs. Consider using a GIT_ASKPASS helper or git credential approve to avoid the token in the URL string.

[greptile-apps]

The RELEASE_PAT remains embedded in the git remote URL after the push completes. Any subsequent git operation in this job (or a future step added later) would still use it, and verbose git output or error messages could surface the full URL. Resetting the remote back to the unauthenticated HTTPS form immediately after the push limits the credential's exposure window.

Suggested change

	git remote set-url origin \
	"https://x-access-token:${RELEASE_PAT}@github.com/${GITHUB_REPOSITORY}.git"
	git push origin "${branch}"
	echo "::notice::Pushed branch ${branch}"
	git remote set-url origin \
	"https://x-access-token:${RELEASE_PAT}@github.com/${GITHUB_REPOSITORY}.git"
	git push origin "${branch}"
	git remote set-url origin "https://github.com/${GITHUB_REPOSITORY}.git"
	echo "::notice::Pushed branch ${branch}"

[greptile-apps]

If RELEASE_PAT is not configured in the repository secrets, GitHub Actions passes an empty string rather than an unset variable, so set -u does not catch it. The push then silently attempts authentication with an empty token and fails at git push with a generic auth error instead of a clear actionable message. An explicit guard here makes the misconfiguration immediately obvious.

Suggested change

	# Stage, commit, and push to a new branch.
	git checkout -b "${branch}"
	git add manifest.yml actions/
	git add manifest.yml .github/workflows/ actions/
	git commit -m "${commit_msg}" -m "${commit_body}"
	# Use RELEASE_PAT for the push — github.token cannot push
	# Stage, commit, and push to a new branch.
	git checkout -b "${branch}"
	git add manifest.yml .github/workflows/ actions/
	git commit -m "${commit_msg}" -m "${commit_body}"
	# Validate RELEASE_PAT is present before using it.
	[ -n "${RELEASE_PAT}" ] || { echo "::error::RELEASE_PAT secret is not configured"; exit 1; }
	# Use RELEASE_PAT for the push — github.token cannot push