You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The `chitcommit` bot token (used by automation and by agents for git push) lacks the `workflow` scope in its GitHub OAuth grant. This means any commit that adds, moves, or modifies a file under `.github/workflows/` is rejected at push time with:
```
! [remote rejected] ->
(refusing to allow an OAuth App to create or update workflow .github/workflows/<file>.yml without workflow scope)
```
Today's repros
chittyops PR chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates #78 (local-ingest-health audit) — chico-keys parked the workflow file in `docs/` because it couldn't push it to `.github/workflows/`. The audit script + script-installer + allowlist + docs landed; the workflow itself sits inactive.
chittyops follow-up commit `0f11537` (2026-06-04) — attempted `git mv` of the parked workflow into `.github/workflows/`. Push rejected with same error.
Impact
Any GHA workflow we want to ship as part of a guardrail PR — including the binding-drift-style auto-detect pattern (chittyconnect#217, chittyentity#324, chittyentity#315, and this chittyops one) — needs operator manual intervention to activate.
Same class of credential gap as chittyconnect#215 (CF API token scope) and chittyconnect#229 (per-worker CHITTYCONNECT_TOKEN provisioning) — the credential lane has gaps that block routine ops.
Resolution (ChittyConnect lane — chico-keys)
Rotate the `chitcommit` GitHub OAuth token to include `workflow` scope in addition to whatever it has today (likely `repo`, `read:org`).
Store the rotated token in op://Infrastructure (or wherever chittyconnect-prod bot creds live).
Update the `gh` config / GH Actions secrets / any service that uses the token.
Verify by re-pushing the chittyops `spec/canonical-channel-access-v1` branch with commit `0f11537` — should succeed once the scope is in place.
Constraint
This is firmly in chico-keys' lane (credential rotation through op → GitHub). Operator is never asked to paste the new token; route through ChittyConnect's standard rotation flow.
Problem
The `chitcommit` bot token (used by automation and by agents for git push) lacks the `workflow` scope in its GitHub OAuth grant. This means any commit that adds, moves, or modifies a file under `.github/workflows/` is rejected at push time with:
```
! [remote rejected] ->
(refusing to allow an OAuth App to create or update workflow
.github/workflows/<file>.ymlwithoutworkflowscope)```
Today's repros
Impact
Resolution (ChittyConnect lane — chico-keys)
Constraint
This is firmly in chico-keys' lane (credential rotation through op → GitHub). Operator is never asked to paste the new token; route through ChittyConnect's standard rotation flow.
Cross-refs