From 64a0bc1f7eee36a6b0e12364a892c60d4efa898a Mon Sep 17 00:00:00 2001
From: devops-engineer <devops-engineer@agents.moleculesai.app>
Date: Thu, 7 May 2026 07:01:46 -0700
Subject: [PATCH] fix(ci): use AUTO_SYNC_TOKEN for auto-sync main->staging
 (Class D)

Same shape as molecule-controlplane#29: per-job GITHUB_TOKEN
doesn't have the Gitea API permissions to open PRs / push branches
the auto-sync flow needs. AUTO_SYNC_TOKEN is the devops-engineer
persona PAT (per saved memory feedback_per_agent_gitea_identity_default).

Companion prod ops (already done):
- devops-engineer added as collaborator on molecule-core (write)
- devops-engineer added to staging branch protection push_whitelist
- AUTO_SYNC_TOKEN registered as Actions secret on molecule-core
---
 .github/workflows/auto-sync-main-to-staging.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/auto-sync-main-to-staging.yml b/.github/workflows/auto-sync-main-to-staging.yml
index 76d891e3..222b2961 100644
--- a/.github/workflows/auto-sync-main-to-staging.yml
+++ b/.github/workflows/auto-sync-main-to-staging.yml
@@ -103,7 +103,7 @@ jobs:
         with:
           fetch-depth: 0
           ref: staging
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.AUTO_SYNC_TOKEN }}
 
       - name: Configure git author
         run: |
@@ -174,7 +174,7 @@ jobs:
       - name: Open auto-sync PR + enable auto-merge
         if: steps.check.outputs.needs_sync == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.AUTO_SYNC_TOKEN }}
           BRANCH: ${{ steps.check.outputs.branch }}
           MAIN_SHORT: ${{ steps.check.outputs.main_short }}
           DID_FF: ${{ steps.prep.outputs.did_ff }}