Skip to content

fix: use GITHUB_TOKEN for PR checkouts, reserve COMMAND_BOT_PAT for push only#14359

Merged
skjnldsv merged 2 commits intomasterfrom
copilot/update-workflow-token-usage
Apr 16, 2026
Merged

fix: use GITHUB_TOKEN for PR checkouts, reserve COMMAND_BOT_PAT for push only#14359
skjnldsv merged 2 commits intomasterfrom
copilot/update-workflow-token-usage

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 16, 2026
edited
Loading

secrets.COMMAND_BOT_PAT was used unconditionally in the checkout step, causing the workflow to fail on fork PRs where that secret is unavailable. The PAT is only needed for the gh-pages push, not for the build/verify steps.

Changes

  • .github/workflows/generate-top-index.yml: Conditionally select the checkout token based on event type:
# Before
token: ${{ secrets.COMMAND_BOT_PAT }}

# After
token: ${{ github.event_name == 'push' && secrets.COMMAND_BOT_PAT || github.token }}

☑️ Resolves

🖼️ Screenshots

Original prompt

Problem

The workflow .github/workflows/generate-top-index.yml currently uses secrets.COMMAND_BOT_PAT unconditionally in the checkout step, which prevents it from working on forks since they don't have access to this secret.

Solution

Modify the workflow to:

  1. Use secrets.COMMAND_BOT_PAT only for push events (when deploying to gh-pages)
  2. Use the default GITHUB_TOKEN for pull request events (when just testing the build)

Changes needed

In .github/workflows/generate-top-index.yml:

Line 33 currently has:

token: ${{ secrets.COMMAND_BOT_PAT }}

Change it to:

token: ${{ github.event_name == 'push' && secrets.COMMAND_BOT_PAT || github.token }}

This conditional expression will:

  • Use secrets.COMMAND_BOT_PAT when the event is a push (needed for gh-pages deployment)
  • Use github.token (the default GITHUB_TOKEN) for pull requests (works on forks)

The PAT is only actually needed for the push to gh-pages branch anyway (lines 64-75), so pull requests don't require it.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please ensure it wtill works on forks by NOT using secrets.COMMAND_BOT_PAT if it's a PR. Only use it on push

Assistant: I can see the issue. The workflow currently uses secrets.COMMAND_BOT_PAT unconditionally in the checkout step (line 33), which will fail on forks since they won't have access to this secret. The solution is to conditionally use the PAT only for push events, and use the default GITHUB_TOKEN for pull requests.

Assistant: I'm waiting for your approval to create a pull request that will make the workflow work on forks by using the PAT only for push events and the default GitHub token for pull requests.

This pull request was created from Copilot chat.

@skjnldsv skjnldsv requested a review from miaulalala April 16, 2026 14:49
@skjnldsv skjnldsv marked this pull request as ready for review April 16, 2026 14:49
Copilot AI changed the title [WIP] Update workflow to conditionally use secrets for token fix: use GITHUB_TOKEN for PR checkouts, reserve COMMAND_BOT_PAT for push only Apr 16, 2026
Copilot AI requested a review from skjnldsv April 16, 2026 14:50
@skjnldsv skjnldsv mentioned this pull request Apr 16, 2026
Closed
@skjnldsv
Copy link
Copy Markdown
Member

skjnldsv commented Apr 16, 2026
edited
Loading

Fork test #14361
https://github.com/nextcloud/documentation/actions/runs/24517180895/job/71664427898?pr=14361

@skjnldsv skjnldsv mentioned this pull request Apr 16, 2026
Closed
@miaulalala miaulalala enabled auto-merge April 16, 2026 14:54
@skjnldsv skjnldsv disabled auto-merge April 16, 2026 14:57
@skjnldsv
Copy link
Copy Markdown
Member

skjnldsv commented Apr 16, 2026

Failure unrelated, merging

@skjnldsv skjnldsv merged commit cf8b1b3 into master Apr 16, 2026
31 of 39 checks passed
@skjnldsv skjnldsv deleted the copilot/update-workflow-token-usage branch April 16, 2026 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@miaulalala miaulalala miaulalala approved these changes

@skjnldsv skjnldsv Awaiting requested review from skjnldsv skjnldsv is a code owner

Assignees

@skjnldsv skjnldsv

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@skjnldsv @miaulalala