ci: replace PATs with GITHUB_TOKEN in CI workflows#6073
Merged
Conversation
Switch all same-repo GitHub operations from manually managed PATs to the built-in GITHUB_TOKEN: checkout, release create/upload, tag creation, and gh CLI calls. Add permissions: contents: write where needed. PATs that require cross-repo access or bot-triggered CI (vcpkg-auto-update, pot-auto-update, update-docs) are intentionally unchanged. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Grantim
added
skip-image-rebuild
Fedr
approved these changes
May 8, 2026
\${{ github.token }} doesn't expand when used in the secrets: block of a
reusable workflow call — the receiving secret comes through empty,
causing 'echo | gh auth login --with-token' to fail. Use the
canonical \${{ secrets.GITHUB_TOKEN }} form instead.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
MaxRayskiy
approved these changes
May 9, 2026
2 tasks
Fedr
added a commit
that referenced
this pull request
May 9, 2026
… releases (#6081) PR #6073 swapped BUILD_MACHINE_TOKEN for github.token in the unity nuget test, but unity-nuget-test.yml still declared contents:read at the workflow level. The .nupkg lives on a draft release, and GitHub only lists draft releases for callers with push (write) access — so `gh release download <tag>` now returns "release not found" against the draft, breaking the scheduled run. Bump the workflow permission to contents:write to match the other workflows updated in #6073.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
BUILD_MACHINE_TOKENandMESHINSPECTOR_BOT_TOKENwith the built-inGITHUB_TOKENfor all same-repo GitHub operationspermissions: contents: writeto workflows that create/update releases or tagsghCLI authentication fromgh auth login --with-tokenpiping to theGH_TOKENenv-var patternBUILD_MACHINE_TOKENfromon.workflow_call.secretsdeclarations where it is no longer usedIntentionally unchanged (PATs still required):
vcpkg-auto-update.yml—MESHINSPECTOR_BOT_VCPKG_UPDATE_TOKEN: pushes branches that must trigger CI (GITHUB_TOKEN pushes do not trigger workflows)pot-auto-update.yml— same token, same reasonupdate-docs.yml—MESHINSPECTOR_BOT_TOKEN: cross-repo checkout (MeshInspector/MeshInspector.github.io)Files changed
versioning-release.yml—GITHUB_TOKEN: ${{ github.token }}inmikepenz/action-gh-release; addedpermissions: contents: writedistro-release.yml— replacedgh auth loginwithenv: GH_TOKEN: ${{ github.token }}; addedpermissions: contents: writerelease-body-update.yml— same pattern; addedpermissions: contents: writeunity-nuget-test.yml— removedBUILD_MACHINE_TOKENsecret declaration; usegithub.tokenbuild-test-distribute.yml— changedpermissions: contents: read → write; removed PAT secret passing to callee workflows; replacedgh auth loginwithGH_TOKENenv varTest plan
vcpkg-auto-updateandpot-auto-updatestill reference bot token (no regression)🤖 Generated with Claude Code