fix(ci): use workflow-scoped token for Bioconda publish

ivan-aksamentov · ivan-aksamentov · commit cb23f41f8b06 · 2026-04-15T19:04:45.000+02:00
The Bioconda publish job fails when pushing the version bump branch to the `nextstrain/bioconda-recipes` fork: ``` refusing to allow a Personal Access Token to create or update workflow `.github/workflows/PR.yml` without `workflow` scope ``` GitHub requires the `workflow` scope on any token that pushes a ref whose tree contains `.github/workflows/` files. The fork inherits these files from upstream `bioconda/bioconda-recipes`, so the scope is required even though our commit only touches `recipes/nextclade/meta.yaml`. Switch from `GH_TOKEN_NEXTSTRAIN_BOT_REPO` to `GH_TOKEN_NEXTSTRAIN_BOT_WORKFLOW`, which carries the `workflow` scope in addition to the same permissions as the previous token. - CI failure: https://github.com/nextstrain/nextclade/actions/runs/24439124069/job/71399868528 - Discussion: https://bedfordlab.slack.com/archives/C01LCTT7JNN/p1776233996707089
diff --git a/.github/workflows/bioconda.yml b/.github/workflows/bioconda.yml
@@ -44,7 +44,7 @@ jobs:
         id: bump-version
         shell: bash
         run: |
-          export GITHUB_TOKEN="${{ secrets.GH_TOKEN_NEXTSTRAIN_BOT_REPO }}"
+          export GITHUB_TOKEN="${{ secrets.GH_TOKEN_NEXTSTRAIN_BOT_WORKFLOW }}"
 
           mkdir -p "${HOME}/bin"
           export PATH="${HOME}/bin:${PATH}"
