Replace personal PAT with GITHUB_TOKEN in versioning workflow (#1530)

vahid-ahmadi · claude · web-flow · commit 6fdf59b77e6a · 2026-03-17T18:07:42.000Z
The Versioning job previously required secrets.POLICYENGINE_GITHUB (a
personal PAT) to push the version bump commit and re-trigger the Publish
job. This broke when the PAT expired.

Changes:
- Use GITHUB_TOKEN with contents:write for same-repo checkout/push
- Restructure Publish as needs:Versioning sequential job instead of
  relying on a re-triggered push event (GITHUB_TOKEN pushes don't
  trigger new workflow runs)
- Make cross-repo update_api.py conditional on POLICYENGINE_GITHUB
  secret availability

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/versioning.yaml b/.github/workflows/versioning.yaml
@@ -1,4 +1,6 @@
 # Workflow that runs on versioning metadata updates.
+# Uses GITHUB_TOKEN (not a personal PAT) for same-repo operations.
+# Cross-repo API updates require POLICYENGINE_GITHUB secret (org-level PAT).
 
 name: Versioning updates
 on:
@@ -11,16 +13,20 @@ on:
       - pyproject.toml
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   Versioning:
     runs-on: ubuntu-latest
     if: |
       (!(github.event.head_commit.message == 'Update package version'))
+    outputs:
+      committed: ${{ steps.commit.outputs.committed }}
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.POLICYENGINE_GITHUB }}
           fetch-depth: 0
       - name: Install uv
         uses: astral-sh/setup-uv@v5
@@ -35,18 +41,20 @@ jobs:
           python .github/bump_version.py
           towncrier build --yes --version $(python -c "import re; print(re.search(r'version = \"(.+?)\"', open('pyproject.toml').read()).group(1))")
       - name: Update changelog
+        id: commit
         uses: EndBug/add-and-commit@v9
         with:
           add: "."
           message: Update package version
   Publish:
     runs-on: ubuntu-latest
-    if: (github.event.head_commit.message == 'Update package version')
-    env:
-      GH_TOKEN: ${{ secrets.POLICYENGINE_GITHUB }}
+    needs: Versioning
+    if: needs.Versioning.outputs.committed == 'true'
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
+        with:
+          ref: main
       - name: Install uv
         uses: astral-sh/setup-uv@v5
 
@@ -71,6 +79,7 @@ jobs:
           password: ${{ secrets.PYPI }}
           skip_existing: true
       - name: Update API
+        if: ${{ secrets.POLICYENGINE_GITHUB != '' }}
         run: python .github/update_api.py
         env:
-          GITHUB_TOKEN: ${{ secrets.POLICYENGINE_GITHUB }}
+          GITHUB_TOKEN: ${{ secrets.POLICYENGINE_GITHUB }}
diff --git a/changelog.d/fix-versioning-workflow.changed.md b/changelog.d/fix-versioning-workflow.changed.md
@@ -0,0 +1 @@
+Replaced personal PAT with `GITHUB_TOKEN` in versioning workflow. Publish now runs as a sequential job instead of requiring a re-triggered workflow, removing the dependency on a personal access token for same-repo operations.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Replaced personal PAT with `GITHUB_TOKEN` in versioning workflow. Publish now runs as a sequential job instead of requiring a re-triggered workflow, removing the dependency on a personal access token for same-repo operations.