From 918ef40ba6eff66bfb897feb8a7ff2ae9085ffe0 Mon Sep 17 00:00:00 2001 From: Vahid Ahmadi Date: Tue, 17 Mar 2026 18:03:19 +0000 Subject: [PATCH] Replace personal PAT with GITHUB_TOKEN in versioning workflow The Versioning job previously required secrets.POLICYENGINE_GITHUB (a personal PAT) to push the version bump commit and re-trigger the Publish job. This broke when the PAT expired. Changes: - Use GITHUB_TOKEN with contents:write for same-repo checkout/push - Restructure Publish as needs:Versioning sequential job instead of relying on a re-triggered push event (GITHUB_TOKEN pushes don't trigger new workflow runs) - Make cross-repo update_api.py conditional on POLICYENGINE_GITHUB secret availability Co-Authored-By: Claude Opus 4.6 --- .github/workflows/versioning.yaml | 19 ++++++++++++++----- .../fix-versioning-workflow.changed.md | 1 + 2 files changed, 15 insertions(+), 5 deletions(-) create mode 100644 changelog.d/fix-versioning-workflow.changed.md diff --git a/.github/workflows/versioning.yaml b/.github/workflows/versioning.yaml index e08152889..d84e7ae3c 100644 --- a/.github/workflows/versioning.yaml +++ b/.github/workflows/versioning.yaml @@ -1,4 +1,6 @@ # Workflow that runs on versioning metadata updates. +# Uses GITHUB_TOKEN (not a personal PAT) for same-repo operations. +# Cross-repo API updates require POLICYENGINE_GITHUB secret (org-level PAT). name: Versioning updates on: @@ -11,16 +13,20 @@ on: - pyproject.toml workflow_dispatch: +permissions: + contents: write + jobs: Versioning: runs-on: ubuntu-latest if: | (!(github.event.head_commit.message == 'Update package version')) + outputs: + committed: ${{ steps.commit.outputs.committed }} steps: - name: Checkout repo uses: actions/checkout@v4 with: - token: ${{ secrets.POLICYENGINE_GITHUB }} fetch-depth: 0 - name: Install uv uses: astral-sh/setup-uv@v5 @@ -35,18 +41,20 @@ jobs: python .github/bump_version.py towncrier build --yes --version $(python -c "import re; print(re.search(r'version = \"(.+?)\"', open('pyproject.toml').read()).group(1))") - name: Update changelog + id: commit uses: EndBug/add-and-commit@v9 with: add: "." message: Update package version Publish: runs-on: ubuntu-latest - if: (github.event.head_commit.message == 'Update package version') - env: - GH_TOKEN: ${{ secrets.POLICYENGINE_GITHUB }} + needs: Versioning + if: needs.Versioning.outputs.committed == 'true' steps: - name: Checkout repo uses: actions/checkout@v4 + with: + ref: main - name: Install uv uses: astral-sh/setup-uv@v5 @@ -71,6 +79,7 @@ jobs: password: ${{ secrets.PYPI }} skip_existing: true - name: Update API + if: ${{ secrets.POLICYENGINE_GITHUB != '' }} run: python .github/update_api.py env: - GITHUB_TOKEN: ${{ secrets.POLICYENGINE_GITHUB }} \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.POLICYENGINE_GITHUB }} diff --git a/changelog.d/fix-versioning-workflow.changed.md b/changelog.d/fix-versioning-workflow.changed.md new file mode 100644 index 000000000..e5c5351cd --- /dev/null +++ b/changelog.d/fix-versioning-workflow.changed.md @@ -0,0 +1 @@ +Replaced personal PAT with `GITHUB_TOKEN` in versioning workflow. Publish now runs as a sequential job instead of requiring a re-triggered workflow, removing the dependency on a personal access token for same-repo operations. \ No newline at end of file