Context
The template-sync workflow added in PR #74 was primarily designed for auto-syncing coderabbit.yaml configuration files to repositories using this template.
However, if the workflow needs to sync files under .github/workflows/, the default GITHUB_TOKEN will be blocked by GitHub's security policy. This is because GITHUB_TOKEN cannot be used to push changes to workflow files—a Personal Access Token (PAT) with workflows scope is required.
Current Limitation
When the template-sync action tries to push changes that include workflow files, it will fail with an error like:
refusing to allow a GitHub App to create or update workflow without workflows permission
Proposed Solution
To enable syncing of workflow files (if needed in the future), the workflow should be updated to:
-
Use a repository secret containing a PAT with:
contents:write permissionworkflows:write permission
-
Pass this PAT to the action:
target_gh_token: ${{ secrets.WORKFLOW_PAT }}
Related Discussion
Reported by: @kpj2006
Context
The template-sync workflow added in PR #74 was primarily designed for auto-syncing
coderabbit.yamlconfiguration files to repositories using this template.However, if the workflow needs to sync files under
.github/workflows/, the defaultGITHUB_TOKENwill be blocked by GitHub's security policy. This is becauseGITHUB_TOKENcannot be used to push changes to workflow files—a Personal Access Token (PAT) withworkflowsscope is required.Current Limitation
When the template-sync action tries to push changes that include workflow files, it will fail with an error like:
Proposed Solution
To enable syncing of workflow files (if needed in the future), the workflow should be updated to:
Use a repository secret containing a PAT with:
contents:writepermissionworkflows:writepermissionPass this PAT to the action:
Related Discussion
Reported by: @kpj2006