This repo gets sync'd with our other orgs (e.g. trail-of-forks) via sync.yml. This works just fine, if the sync step (i.e. git merge) doesn't include a workflow change. When it does include a workflow change the sync (and all future syncs) fail, since the default GITHUB_TOKEN doesn't have the workflow permission.
This results in the following obtuse error:
To https://github.com/crytic/.github
! [remote rejected] main -> main (refusing to allow a GitHub App to create or update workflow `.github/workflows/lint.yml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/crytic/.github'
Error: Process completed with exit code 1.
To get around this, we either need a long-lived PAT (not ideal, since it'd essentially be a "god-mode" PAT for all of our orgs) or to make syncing more intelligent (e.g. have each repo be a stand-alone rather than a fork, and have each update only its non-workflow files on a schedule). The latter probably makes more sense.
This repo gets sync'd with our other orgs (e.g.
trail-of-forks) viasync.yml. This works just fine, if the sync step (i.e.git merge) doesn't include a workflow change. When it does include a workflow change the sync (and all future syncs) fail, since the defaultGITHUB_TOKENdoesn't have theworkflowpermission.This results in the following obtuse error:
To get around this, we either need a long-lived PAT (not ideal, since it'd essentially be a "god-mode" PAT for all of our orgs) or to make syncing more intelligent (e.g. have each repo be a stand-alone rather than a fork, and have each update only its non-workflow files on a schedule). The latter probably makes more sense.