Skip to content

fix(ci): use PAT for sync-skills workflow so downstream workflows fire#394

Merged
matv-stripe merged 1 commit intostripe:mainfrom
mvanhorn:fix/355-ci-pat-for-sync
May 6, 2026
Merged

fix(ci): use PAT for sync-skills workflow so downstream workflows fire#394
matv-stripe merged 1 commit intostripe:mainfrom
mvanhorn:fix/355-ci-pat-for-sync

Conversation

@mvanhorn
Copy link
Copy Markdown
Contributor

@mvanhorn mvanhorn commented Apr 17, 2026

Closes #355

What

Switches the sync-skills workflow to use a PAT for checkout and the peter-evans/create-pull-request@v6 step, falling back to GITHUB_TOKEN when the secret is not set.

token: ${{ secrets.SYNC_SKILLS_PAT || secrets.GITHUB_TOKEN }}

Why

Per GitHub's docs, events produced by GITHUB_TOKEN pushes / PR creations do NOT trigger new workflow runs (exception: workflow_dispatch and repository_dispatch). Any workflow configured to run on push or pull_request is silently skipped when the sync bot creates the PR.

The issue links the GitHub doc directly.

Activation

To make the fallback route to the real PAT path, create a repo secret:

  • Name: SYNC_SKILLS_PAT
  • Type: fine-grained PAT scoped to this repository
  • Permissions: contents: write, pull-requests: write
  • Expiration: whatever your org policy prefers

Until the secret is created, the workflow still uses GITHUB_TOKEN and keeps working exactly as it does today - this PR does not regress anything.

Scope

One-line logic change in .github/workflows/sync-skills.yml, applied to both the checkout and the create-pull-request steps. No other workflow files touched. No secret added by the PR (that's a maintainer action).

Verified

  • YAML parses cleanly (ruby -ryaml -e "YAML.load_file(...)").
  • Fallback syntax is the same pattern used across peter-evans/create-pull-request documentation.

This contribution was developed with AI assistance (Claude Code).

@mvanhorn
fix(ci): use PAT for sync-skills workflow so downstream workflows fire
64ec601 
Closes stripe#355

Per GitHub's docs on GITHUB_TOKEN, events triggered by GITHUB_TOKEN do
not create new workflow runs. That means any downstream workflow
configured to run on push or pull_request events is silently skipped
when the sync-skills workflow creates a PR or commits.

Switches the checkout and peter-evans/create-pull-request@v6 steps to
use a SYNC_SKILLS_PAT secret, falling back to GITHUB_TOKEN when the
secret is not configured so the workflow keeps working for forks / CI
matrices that don't provision the PAT.

To activate the fix, create a SYNC_SKILLS_PAT repo secret with a PAT
that has `contents: write` and `pull-requests: write` on this repo.
@mvanhorn mvanhorn mentioned this pull request Apr 17, 2026
Closed
matv-stripe
matv-stripe approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@matv-stripe matv-stripe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ty!

@matv-stripe matv-stripe merged commit 1462341 into stripe:main May 6, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matv-stripe matv-stripe matv-stripe approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Switch sync workflow to use a PAT instead of GITHUB_TOKEN

2 participants

@mvanhorn @matv-stripe