fix(release): use built-in GITHUB_TOKEN to dispatch recompile workflow (#923)

jamesadevine · Copilot · web-flow · commit ce617a7b019f · 2026-06-09T10:20:22.000+01:00
The post-release `trigger-recompile-safe-output-fixtures` job was using `secrets.GH_AW_CI_TRIGGER_TOKEN` to authenticate `gh workflow run`. That secret is a gh-aw runtime convention scoped to agentic workflows' safe-output PR creation; `release.yml` is a plain GitHub Actions workflow and shouldn't depend on it. When the secret is not provisioned (as on this repo today), the dispatch step fails with `GH_TOKEN` unset and the recompile never runs (see run 27193012425).

Switch the dispatch to the built-in `secrets.GITHUB_TOKEN` with an explicit `permissions: actions: write` scope. The dispatched recompile workflow continues to use its own secrets for any downstream PR creation, so no behavior is lost.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -191,20 +191,23 @@ jobs:
     name: Trigger safe-output fixture recompile
     needs: [release-please, checksums]
     # Run only once all release assets (binaries + checksums.txt) are uploaded.
-    # Releases published via release-please use the default GITHUB_TOKEN, which
-    # does NOT fire the `release: published` event on other workflows (GitHub
-    # actively suppresses this to prevent recursive triggers). Dispatch the
-    # recompile workflow explicitly here using a PAT so the dispatched run can
-    # itself open a PR.
+    # Releases published via release-please do NOT fire the `release: published`
+    # event on other workflows (GitHub suppresses this to prevent recursive
+    # triggers), so we explicitly dispatch the recompile workflow here. The
+    # default GITHUB_TOKEN has the `actions:write` scope needed to run
+    # `gh workflow run`; the dispatched workflow uses its own secrets for any
+    # downstream PR creation.
     if: >-
       always() &&
       (needs.release-please.outputs.release_created == 'true' || github.event_name == 'workflow_dispatch') &&
       needs.checksums.result == 'success'
     runs-on: ubuntu-22.04
+    permissions:
+      actions: write
     steps:
       - name: Dispatch recompile-safe-output-fixtures
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_AW_CI_TRIGGER_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -euo pipefail
           TAG="${{ needs.release-please.outputs.tag_name || github.event.inputs.tag_name }}"
