From 02126d6ef26bfb67eeeaf2b0a5bcf0b127df1ce2 Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 28 Feb 2026 16:04:54 +0000 Subject: [PATCH] Fix compile workflow: remove invalid workflows permission, use PAT The workflows: write permission in the YAML permissions block is not valid for GITHUB_TOKEN, which prevented the workflow from starting. Pushing files under .github/workflows/ requires a PAT with the workflows scope. The workflow now uses a GH_PAT secret (falling back to GITHUB_TOKEN) for checkout and push. To set this up: Create a fine-grained PAT with Contents + Workflows read/write, then: gh secret set GH_PAT --body "" https://claude.ai/code/session_01JTYNSeJrGzdW6wfAUbdjjw --- .github/workflows/compile-workflows.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/compile-workflows.yaml b/.github/workflows/compile-workflows.yaml index f7ae03c..4111f6b 100644 --- a/.github/workflows/compile-workflows.yaml +++ b/.github/workflows/compile-workflows.yaml @@ -13,7 +13,6 @@ on: permissions: contents: write pull-requests: write - workflows: write jobs: compile: @@ -24,23 +23,27 @@ jobs: - name: Checkout (push) if: github.event_name == 'push' uses: actions/checkout@v4 + with: + # A PAT with workflows scope is required to push .lock.yml + # files under .github/workflows/. + token: ${{ secrets.GH_PAT || secrets.GITHUB_TOKEN }} - name: Checkout (PR head branch) if: github.event_name == 'pull_request' uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.GH_PAT || secrets.GITHUB_TOKEN }} - name: Install gh-aw extension run: gh extension install github/gh-aw env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.GH_PAT || github.token }} - name: Compile all agentic workflows run: gh aw compile .github/workflows/*.md env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.GH_PAT || github.token }} - name: Commit and push lock files if changed run: |