fix(ci): use GITHUB_TOKEN for release downloads to avoid PAT rate limits

milldr · claude · milldr · commit c845c083db32 · 2026-01-28T10:45:30.000-05:00
The REPO_ACCESS_TOKEN PAT was hitting GitHub API rate limits, causing
release asset downloads to fail with HTTP 403 errors. The GITHUB_TOKEN
has separate per-workflow rate limits that won't be exhausted by other
workflows.

- Add github_token input to build-website action
- Use github_token for release downloads when provided, fall back to repo_access_token
- Pass GITHUB_TOKEN in preview and release workflows

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.github/actions/build-website/action.yml b/.github/actions/build-website/action.yml
@@ -18,6 +18,10 @@ inputs:
   repo_access_token:
     description: "GitHub Token used to access private repos"
     required: true
+  github_token:
+    description: "GitHub Token for downloading release assets (uses separate rate limits from PAT)"
+    required: false
+    default: ""
   skip_library_download:
     description: "Skip downloading library docs from release (use when docs are already present)"
     default: "false"
@@ -63,11 +67,12 @@ runs:
         make init
 
     # Download pre-built library docs from the most recent release (draft or published) that has the asset
+    # Uses github_token if provided (separate rate limits), falls back to repo_access_token
     - name: "Download Pre-built Library Docs"
       if: ${{ inputs.skip_library_download != 'true' }}
       shell: bash
       env:
-        GH_TOKEN: ${{ inputs.repo_access_token }}
+        GH_TOKEN: ${{ inputs.github_token != '' && inputs.github_token || inputs.repo_access_token }}
       run: |
         DOWNLOADED=false
 
diff --git a/.github/workflows/website-deploy-preview.yml b/.github/workflows/website-deploy-preview.yml
@@ -65,6 +65,7 @@ jobs:
           iam_role_arn: ${{ env.IAM_ROLE_ARN }}
           iam_role_session_name: ${{ env.IAM_ROLE_SESSION_NAME }}
           repo_access_token: ${{ secrets.REPO_ACCESS_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Copy Website to S3 Bucket PR Folder
         run: |
diff --git a/.github/workflows/website-deploy-release.yml b/.github/workflows/website-deploy-release.yml
@@ -66,6 +66,7 @@ jobs:
           google_tag_manager: ${{ env.GOOGLE_TAG_MANAGER }}
           google_site_verification_id: ${{ env.GOOGLE_SITE_VERIFICATION_ID }}
           repo_access_token: ${{ secrets.REPO_ACCESS_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           skip_library_download: "true"
 
       # "assets/refarch/handoffs/*" are handled by cloudposse-corp/demos
