ci(spec-sync): use fine-grained PAT and bump pinned actions to Node-24

[kunwar-vp]

Summary

Fix the nightly spec-sync workflow, which has been failing every day since 2026-04-28 with:

##[error]GitHub Actions is not permitted to create or approve pull requests.

The root cause is the voltagepark org policy that forbids GITHUB_TOKEN from creating or approving PRs. The per-repo toggle (Settings → Actions → General → Workflow permissions → "Allow GitHub Actions to create and approve pull requests") is overridden by the org policy, and we'd rather not weaken the org policy for this single bot — the principle of least privilege says scope the capability to just this workflow.

This PR switches the workflow from secrets.GITHUB_TOKEN to a fine-grained PAT (secrets.GH_PAT) and bumps the pinned actions to their Node-24-compatible majors ahead of the 2026-06-02 GitHub Actions deprecation cutover.

Required before merging

The repo needs a new secret GH_PAT containing a fine-grained personal access token with:

• Resource owner: voltagepark
• Repository access: Only this repo (graphn-sdk-python)
• Repository permissions:
  • Contents: Read and write (push spec-sync/auto branch)
  • Pull requests: Read and write (create / update the PR)
  • Metadata: Read (auto-required)
  • everything else: No access

Once the secret is added, this PR can merge and the nightly run (or a manual workflow_dispatch) will succeed end-to-end.

What changed

• permissions: block at the workflow level dropped from contents: write / pull-requests: write to contents: read. The PAT carries the write rights now; GITHUB_TOKEN no longer needs them.
• Added a long comment block at the top of the workflow documenting the auth model so the next person doesn't have to re-derive it.
• actions/checkout@v4 → @v5 (Node 24, released 2025-08-11).
• actions/setup-python@v5 → @v6 (Node 24, released 2025-09-04).
• peter-evans/create-pull-request@v6 → @v8 (Node 24, released 2025-12-09; v7 was still Node 20).
• token: arg on actions/checkout and peter-evans/create-pull-request set to ${{ secrets.GH_PAT }} so the branch push and the create-PR call land under the same identity.

What did not change

• Regenerate command, test step, branch name (spec-sync/auto), commit message, PR title, PR body, labels — all identical, so the bot's output looks the same as before.
• Schedule (daily 09:00 UTC) and workflow_dispatch inputs — unchanged.

Test plan

• python3 -c "import yaml; yaml.safe_load(open('.github/workflows/spec-sync.yml'))" parses cleanly.
• Add GH_PAT secret to the repo (manual, see "Required before merging" above).
• Trigger workflow_dispatch on this branch (or after merge) and confirm the bot opens / updates a PR. Expected outcome: either a no-op (spec hasn't changed since the last successful run) or an updated PR on spec-sync/auto.
• Watch the next scheduled run (09:00 UTC) and confirm green.

Related

• chore(spec): sync generated client from upstream openapi.yaml #12 — manually-opened PR for the spec changes the bot has been pushing daily but couldn't PR. Independent of this fix; can land on its own timing.