1
0
Fork 0
mirror of https://github.com/imjasonh/git-k8s synced 2026-07-08 23:05:21 +00:00

Fix compile workflow: remove invalid workflows permission, use PAT

The workflows: write permission in the YAML permissions block is not
valid for GITHUB_TOKEN, which prevented the workflow from starting.

Pushing files under .github/workflows/ requires a PAT with the
workflows scope. The workflow now uses a GH_PAT secret (falling back
to GITHUB_TOKEN) for checkout and push. To set this up:

  Create a fine-grained PAT with Contents + Workflows read/write,
  then: gh secret set GH_PAT --body "<your-pat>"

https://claude.ai/code/session_01JTYNSeJrGzdW6wfAUbdjjw
This commit is contained in:
Claude 2026-02-28 16:04:54 +00:00
parent 3d9ad780f3
commit 02126d6ef2
No known key found for this signature in database

View file

@ -13,7 +13,6 @@ on:
permissions:
contents: write
pull-requests: write
workflows: write
jobs:
compile:
@ -24,23 +23,27 @@ jobs:
- name: Checkout (push)
if: github.event_name == 'push'
uses: actions/checkout@v4
with:
# A PAT with workflows scope is required to push .lock.yml
# files under .github/workflows/.
token: ${{ secrets.GH_PAT || secrets.GITHUB_TOKEN }}
- name: Checkout (PR head branch)
if: github.event_name == 'pull_request'
uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.GITHUB_TOKEN }}
token: ${{ secrets.GH_PAT || secrets.GITHUB_TOKEN }}
- name: Install gh-aw extension
run: gh extension install github/gh-aw
env:
GH_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
- name: Compile all agentic workflows
run: gh aw compile .github/workflows/*.md
env:
GH_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
- name: Commit and push lock files if changed
run: |