Fix update_thv_models GHA

[tgrunnagle]

Problem

PRs created by the update_thv_models action are not triggering PR related actions (namely quality checks). This is a deliberate limitation imposed by GitHub Actions that an action cannot trigger other workflows. However, we want quality checks on this action since it is updating model code.

Solution

Based on this discussion: GitHub is determining that API calls are coming from actions by checking the authentication token. If you use a repo scoped token instead of the default GITHUB_TOKEN then the on: pull_request workflow will run checks against the created pull request. As mentioned in the discussion, this is the workaround suggested by the Github support team.

As part of this change, I've created a repo-scoped PAT (with only PR r/w permissions) for stacklok's 'bot' account and saved it as a repo secret.

[claude]

PR Review

Overall Assessment: Approved

This is a clean, focused change that addresses a legitimate GitHub Actions limitation.

Strengths

• Correct Solution: Using a PAT instead of GITHUB_TOKEN is the recommended workaround for triggering workflows from automated PRs
• Good Documentation: The inline comment with link to the GitHub issue provides clear context
• Minimal Change: Only touches what is necessary (lines 120-122)
• Security Conscious: PR description mentions using a repo-scoped PAT with minimal permissions (PR r/w only)

Observations

1. Secret Management: Ensure UPDATE_THV_MODELS_GITHUB_TOKEN is properly configured as a repo secret
2. Token Rotation: Consider documenting the PAT expiration date and renewal process in internal docs
3. Permissions: The workflow already has appropriate permissions declared (lines 9-12)

No Issues Found

• No code quality concerns
• No bugs or security issues introduced
• No breaking changes or regressions
• Change is clear and minimal

Recommendation: Merge after verifying the secret is configured correctly.