From e373fa1a9688dc55b72de6a2261ad4df3a7eb998 Mon Sep 17 00:00:00 2001 From: Hongming Wang Date: Tue, 28 Apr 2026 18:49:07 -0700 Subject: [PATCH] docs(ci): document auto-promote-staging GITHUB_TOKEN PR-create prereq MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a comment block at the top of auto-promote-staging.yml naming the load-bearing one-time repo setting that the workflow depends on: Settings → Actions → General → Workflow permissions → ✅ Allow GitHub Actions to create and approve pull requests Without this toggle, every workflow_run fails with "GitHub Actions is not permitted to create or approve pull requests (createPullRequest)". Observed 2026-04-29 01:43 UTC blocking the fcd87b9 promotion (PRs #2248 + #2249); manually bridged via PR #2252. The setting is invisible to anyone reading the workflow file, but the workflow cannot do its job without it. Documenting here so the next time it gets toggled off (org admin change, repo migration, audit cleanup) the failure mode points at the cause rather than another round of "why is auto-promote broken." Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/auto-promote-staging.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/auto-promote-staging.yml b/.github/workflows/auto-promote-staging.yml index 118d0c83..6d23c96e 100644 --- a/.github/workflows/auto-promote-staging.yml +++ b/.github/workflows/auto-promote-staging.yml @@ -20,6 +20,24 @@ name: Auto-promote staging → main # **Initial rollout:** ship this file but leave the `enabled` input set # such that nothing auto-promotes until staging CI has been reliably # green for a few days. Toggle via repo variable `AUTO_PROMOTE_ENABLED`. +# +# **One-time repo setting (load-bearing):** this workflow opens a +# staging→main PR via `gh pr create` using the default GITHUB_TOKEN. +# Since GitHub's 2022 default change, that token cannot create or +# approve PRs unless the repo opts in. The toggle is at: +# +# Settings → Actions → General → Workflow permissions +# → ✅ Allow GitHub Actions to create and approve pull requests +# +# Without it, every workflow_run fails with: +# +# pull request create failed: GraphQL: GitHub Actions is not +# permitted to create or approve pull requests (createPullRequest) +# +# Observed 2026-04-29 01:43 UTC blocking promotion of fcd87b9 (PRs +# #2248 + #2249); manually bridged via PR #2252. Re-check this +# setting if auto-promote starts failing with createPullRequest +# errors after a repo or org admin change. on: workflow_run: