ci: use AUTOMATION_PAT for workflows that open PRs#914
Merged
mcottontensor merged 1 commit intoJun 21, 2026
Merged
Conversation
The org-level policy "Allow GitHub Actions to create and approve pull requests" is disabled, so the default GITHUB_TOKEN cannot open PRs -- this is what broke the changesets prune job. Point the prune, changelog release, and backport workflows at a single AUTOMATION_PAT (repo + workflow scope) instead, replacing the now-removed BACKPORT_PAT. Dropped the GITHUB_TOKEN fallbacks: under this policy they can only fail, and a missing-secret error is clearer than the misleading "not permitted to create or approve pull requests" message.
mcottontensor
added
auto-backport
Collaborator
Author
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation and see the Github Action logs for details |
This was referenced Jun 21, 2026
Collaborator
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
mcottontensor
added a commit
that referenced
this pull request
Jun 21, 2026
The org-level policy "Allow GitHub Actions to create and approve pull requests" is disabled, so the default GITHUB_TOKEN cannot open PRs -- this is what broke the changesets prune job. Point the prune, changelog release, and backport workflows at a single AUTOMATION_PAT (repo + workflow scope) instead, replacing the now-removed BACKPORT_PAT. Dropped the GITHUB_TOKEN fallbacks: under this policy they can only fail, and a missing-secret error is clearer than the misleading "not permitted to create or approve pull requests" message. (cherry picked from commit 49a4163) # Conflicts: # .github/workflows/changesets-prune-master.yml
mcottontensor
added a commit
that referenced
this pull request
Jun 21, 2026
The org-level policy "Allow GitHub Actions to create and approve pull requests" is disabled, so the default GITHUB_TOKEN cannot open PRs -- this is what broke the changesets prune job. Point the prune, changelog release, and backport workflows at a single AUTOMATION_PAT (repo + workflow scope) instead, replacing the now-removed BACKPORT_PAT. Dropped the GITHUB_TOKEN fallbacks: under this policy they can only fail, and a missing-secret error is clearer than the misleading "not permitted to create or approve pull requests" message. (cherry picked from commit 49a4163) # Conflicts: # .github/workflows/changesets-prune-master.yml
mcottontensor
added a commit
that referenced
this pull request
Jun 21, 2026
The org-level policy "Allow GitHub Actions to create and approve pull requests" is disabled, so the default GITHUB_TOKEN cannot open PRs -- this is what broke the changesets prune job. Point the prune, changelog release, and backport workflows at a single AUTOMATION_PAT (repo + workflow scope) instead, replacing the now-removed BACKPORT_PAT. Dropped the GITHUB_TOKEN fallbacks: under this policy they can only fail, and a missing-secret error is clearer than the misleading "not permitted to create or approve pull requests" message. (cherry picked from commit 49a4163) # Conflicts: # .github/workflows/changesets-prune-master.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The org-level policy "Allow GitHub Actions to create and approve pull requests" is disabled, so the default
GITHUB_TOKENcannot open PRs. This is what broke the Prune Master Changesets job, which failed with:This points the three workflows that open PRs at a single repo/org secret,
AUTOMATION_PAT(a PAT withrepo+workflowscope), instead ofGITHUB_TOKEN:changesets-prune-master.yml— the job that actually failed (peter-evans/create-pull-request)changesets-update-changelogs.yml— the release PR (changesets/action); same policy, would fail on the next releasebackport.yml— replaces the previousBACKPORT_PATwith the unifiedAUTOMATION_PATWhy drop the
GITHUB_TOKENfallbacks?Under this org policy the fallback can only ever fail, and it produces the misleading "not permitted to create or approve pull requests" error. Referencing
AUTOMATION_PATdirectly means a missing/expired secret fails loudly and clearly instead.healthcheck-markdown-links.ymlis intentionally left unchanged — it creates issues, whichGITHUB_TOKENis still permitted to do.Notes
AUTOMATION_PATsecret on the EpicGames repo/org (already added), withrepo+workflowscope and SSO-authorized for the org.BACKPORT_PATsecret is now unused and can be removed.