fix(ci): push versions to bot/toolchain-versions branch, bypass main branch protection (#228)

DimaBir · Dima Birenbaum · web-flow · commit e20e8b61ec13 · 2026-03-23T18:41:18.000+02:00
Co-authored-by: Dima Birenbaum &lt;dbirenbaum@microsoft.com&gt;
diff --git a/.github/workflows/msdo-breach-monitor.md b/.github/workflows/msdo-breach-monitor.md
@@ -75,9 +75,9 @@ Monitor for supply chain security incidents affecting any tool in the MSDO toolc
 
 The `toolchain-version-probe` workflow runs weekly, installs every tool through the real MSDO CLI, and records exactly which package version was resolved into `.github/toolchain-versions.json`. These are the versions MSDO users actually download — not registry "latest", but the version pinned in MSDO's `.gdntool` configs.
 
-**Read the file from this repository:**
+**Read the file from this repository (the probe pushes to a dedicated branch to avoid branch protection on main):**
 ```
-GET https://api.github.com/repos/microsoft/security-devops-action/contents/.github/toolchain-versions.json
+GET https://api.github.com/repos/microsoft/security-devops-action/contents/.github/toolchain-versions.json?ref=bot/toolchain-versions
 ```
 Decode the base64 `content` field. The `tools` object maps each tool name to its resolved version. The `generated_at` field tells you when the probe last ran.
 
diff --git a/.github/workflows/toolchain-version-probe.yml b/.github/workflows/toolchain-version-probe.yml
@@ -120,5 +120,7 @@ jobs:
             echo "toolchain-versions.json unchanged — nothing to commit"
           else
             git commit -m "chore(ci): update toolchain-versions.json [skip ci]"
-            git push
+            # Push to dedicated unprotected branch — main has branch protection
+            # requiring PRs. The breach monitor reads from this branch via API.
+            git push origin HEAD:bot/toolchain-versions --force
           fi
