Add PAT support for syncing workflow files in template-sync workflow #76
Description
Context
The template-sync workflow added in PR #74 was primarily designed for auto-syncing coderabbit.yaml configuration files to repositories using this template.
However, if the workflow needs to sync files under .github/workflows/, the default GITHUB_TOKEN will be blocked by GitHub's security policy. This is because GITHUB_TOKEN cannot be used to push changes to workflow files—a Personal Access Token (PAT) with workflows scope is required.
Current Limitation
When the template-sync action tries to push changes that include workflow files, it will fail with an error like:
refusing to allow a GitHub App to create or update workflow without workflows permission
Proposed Solution
To enable syncing of workflow files (if needed in the future), the workflow should be updated to:
-
Use a repository secret containing a PAT with:
contents:writepermissionworkflows:writepermission
-
Pass this PAT to the action:
target_gh_token: ${{ secrets.WORKFLOW_PAT }}
Related Discussion
- PR: Add template sync workflow for automated repository synchronization #74
- Comment thread: Add template sync workflow for automated repository synchronization #74 (comment)
Reported by: @kpj2006