From 3f72cc9db1b8365a49c5404a412c76155b822baf Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 15 Jul 2026 17:28:56 +0000 Subject: [PATCH 1/3] Initial plan From 54a1d24d6af98036724aaf86c0c2ad697c44be97 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 15 Jul 2026 17:35:20 +0000 Subject: [PATCH 2/3] fix: use PAT instead of GITHUB_TOKEN for automated PR creation in generate workflow The `gh pr create` command was failing with "GitHub Actions is not permitted to create or approve pull requests" because the repository setting "Allow GitHub Actions to create and approve pull requests" is disabled. `GITHUB_TOKEN` cannot create PRs when this setting is disabled, regardless of workflow-level permissions. The fix is to use a Personal Access Token (PAT) stored as a repository secret named `GH_TOKEN` for the PR creation step. The git push step continues to use `GITHUB_TOKEN` since pushing branches is not restricted by this setting. Admins need to create a PAT (classic PAT with "repo" scope, or fine-grained PAT with "pull_requests: write" + "contents: write") and store it as the `GH_TOKEN` repository secret. --- .github/workflows/generate-javascript.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/generate-javascript.yml b/.github/workflows/generate-javascript.yml index c0af3fd53b1..62259a30856 100644 --- a/.github/workflows/generate-javascript.yml +++ b/.github/workflows/generate-javascript.yml @@ -67,4 +67,9 @@ jobs: env: KUBERNETES_BRANCH: ${{ github.event.inputs.kubernetesBranch }} BASE_BRANCH: ${{ github.ref_name }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # GH_TOKEN must be a PAT (not GITHUB_TOKEN) because the repository setting + # "Allow GitHub Actions to create and approve pull requests" is disabled. + # Create a classic PAT with "repo" scope (or a fine-grained PAT with + # "pull_requests: write" and "contents: write" permissions) and store it + # as a repository secret named GH_TOKEN. + GH_TOKEN: ${{ secrets.GH_TOKEN }} From fdf1a065cfc57efcb44c0f1a64993279de29f549 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 15 Jul 2026 17:35:59 +0000 Subject: [PATCH 3/3] fix: improve PAT comment to clarify admin setup requirement and failure warning --- .github/workflows/generate-javascript.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/generate-javascript.yml b/.github/workflows/generate-javascript.yml index 62259a30856..696c58c8ca8 100644 --- a/.github/workflows/generate-javascript.yml +++ b/.github/workflows/generate-javascript.yml @@ -69,7 +69,10 @@ jobs: BASE_BRANCH: ${{ github.ref_name }} # GH_TOKEN must be a PAT (not GITHUB_TOKEN) because the repository setting # "Allow GitHub Actions to create and approve pull requests" is disabled. - # Create a classic PAT with "repo" scope (or a fine-grained PAT with - # "pull_requests: write" and "contents: write" permissions) and store it - # as a repository secret named GH_TOKEN. + # A repository administrator must create a PAT and store it as a repository + # secret named GH_TOKEN before this step can succeed: + # - Classic PAT: enable the "repo" scope + # - Fine-grained PAT: enable "Pull requests: write" and "Contents: write" + # WARNING: this step will fail with an authentication error if the secret + # is not configured. GH_TOKEN: ${{ secrets.GH_TOKEN }}