From 36a66473183df5a8eb2575510feb88a73c4b42f3 Mon Sep 17 00:00:00 2001
From: kunwar-vp <ksrivastav@voltagepark.com>
Date: Thu, 14 May 2026 11:38:36 -0700
Subject: [PATCH] ci(spec-sync): use fine-grained PAT and bump pinned actions
 to Node-24

The nightly spec-sync workflow has been failing every day since
2026-04-28 with `GitHub Actions is not permitted to create or
approve pull requests`. Root cause is the voltagepark org policy
that forbids `GITHUB_TOKEN` from creating or approving PRs; the
per-repo toggle is overridden by org policy and we don't want to
weaken the org policy for this single bot.

Switch the workflow to a fine-grained PAT (`secrets.GH_PAT`)
scoped to this repo only with `Contents: read+write` and
`Pull requests: read+write`. Pass the PAT to both `actions/checkout`
(so the spec-sync/auto branch push lands as the PAT identity) and
`peter-evans/create-pull-request` (so the create/update-PR call
lands under the same identity). Drop workflow-level `contents: write`
/ `pull-requests: write` since the PAT carries those rights now and
GITHUB_TOKEN no longer needs them.

While here, bump the pinned actions to their Node-24-compatible
majors ahead of the 2026-06-02 deprecation cutover:
  - actions/checkout         v4 -> v5
  - actions/setup-python     v5 -> v6
  - peter-evans/create-pull-request  v6 -> v8

No behavior change to the regenerate / test path; only auth and
runtime versions move.
---
 .github/workflows/spec-sync.yml | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/spec-sync.yml b/.github/workflows/spec-sync.yml
index 72cbcb7..81524c3 100644
--- a/.github/workflows/spec-sync.yml
+++ b/.github/workflows/spec-sync.yml
@@ -13,16 +13,30 @@ on:
         default: "https://cp.graphn.ai/openapi.yaml"
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
+
+# Auth model: this workflow uses a fine-grained PAT (`secrets.GH_PAT`)
+# instead of `GITHUB_TOKEN` so the bot can open pull requests. The
+# voltagepark org policy ("Allow GitHub Actions to create and approve
+# pull requests" = off) means `GITHUB_TOKEN` cannot create PRs no
+# matter what the per-repo toggle says, and we don't want to weaken
+# that policy org-wide for this single workflow. The PAT is
+# fine-grained, scoped to this repo only, and only needs:
+#   - Contents: Read and write   (push the spec-sync/auto branch)
+#   - Pull requests: Read and write   (create / update the PR)
+# Both `actions/checkout` and `peter-evans/create-pull-request` are
+# given the PAT explicitly so the push and the create-PR call land
+# under the same identity.
 
 jobs:
   regenerate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GH_PAT }}
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: "3.12"
           cache: pip
@@ -42,9 +56,9 @@ jobs:
         run: pytest -ra
 
       - name: Open PR if anything changed
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v8
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GH_PAT }}
           add-paths: src/graphn/_generated
           branch: spec-sync/auto
           delete-branch: true