fix: fix update-pre-commit-hooks workflow

The `update-pre-commit-hooks` workflow used `REPO_PAT` as its token, which caused it fail with the default permissions suggested for the token (repo restricted 'contents:write' and 'pull_requests:write'). Custom tokens, used to allow pull requests to trigger workflows, need to be global. This commit simply removes the dependence on `REPO_PAT`, and uses the default `GITHUB_TOKEN` in the workflow--consequently the pull request made by `update-pre-commit-hooks` will not trigger `check-pr`. Additionally, 'pull_requests:write' is no longer listed as a required permission for `REPO_PAT`.
jayanthkoushik · Jul 9, 2024 · 8826b5f · 8826b5f
1 parent 60216a8
commit 8826b5f
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -218,9 +218,9 @@ The following operations are involved:
  permissions, used to create the GitHub repository. This token can
  be shared between projects, but it is highly recommended to create
  a separate token just for shiny-pyseed.
- 2. A token with 'contents:write' and 'pull_requests:write'
- permissions for the project repository. This token is used for
- creating GitHub releases and publishing the website.
+ 2. A token with 'contents:write' permission for the project
+ repository. This token is used for creating GitHub releases and
+ publishing the website.
 2. The user will also need to create a PyPI access token for uploading
  releases to PyPI. For details, see <https://pypi.org/help/#apitoken>.
 3. The GitHub API is called to create a repository with the same name as
@@ -647,8 +647,8 @@ which are created by the optional second phase of the bootstrap script.
 They will need to be created manually if this phase was skipped. This
 section will indicate which of the following two secrets are needed by
 different workflows. `REPO_PAT` is a GitHub access token with
-'contents:write' and 'pull_requests:write' premissions for the
-repository, and `PYPI_TOKEN` is an access key for PyPI.
+'contents:write' premission for the repository, and `PYPI_TOKEN` is an
+access key for PyPI.
 
 **`release-new-version.yml`**
 This is the workflow for creating a new release of the project. It needs
@@ -686,7 +686,7 @@ windows-latest) and Python versions (configured during bootstrap).
 
 **`update-pre-commit-hooks.yml`**
 This workflow calls `pre-commit autoupdate` to update hooks to their
-latest version. If there are any changes, it will create a pull request;
-this requires the `REPO_PAT` secret. By default, this workflow will run
-automatically every month. This can be skipped during bootstrap;
-alternatively, update or remove the `schedule` section in the workflow.
+latest version. If there are any changes, it will create a pull request.
+By default, this workflow will run automatically every month. This can
+be skipped during bootstrap; alternatively, update or remove the
+`schedule` section in the workflow.
diff --git a/dist/pyseed.py b/dist/pyseed.py
@@ -1033,9 +1033,8 @@ def setup_github(config: dict[ConfigKey, Any]):
  release_token = getpass(
  f"\n[https://github.com/settings/personal-access-tokens/new] "
  f"create a personal access token with 'contents:write' "
- f"and 'pull_requests:write' permissions for this project's repo "
- f"({repo_owner}/{project_name}), and enter it here "
- f"(or leave empty to skip this step): "
+ f"permission for this project's repo ({repo_owner}/{project_name})"
+ f"and enter it here (or leave empty to skip this step): "
  )
  if release_token:
  gh_secrets_manager.upload_actions_secret(
@@ -1823,7 +1822,6 @@ def main():
  - run: pre-commit autoupdate
  - uses: peter-evans/create-pull-request@v6
  with:
- token: ${{ secrets.REPO_PAT }}
  commit-message: "chore: update pre-commit hooks"
  branch: update-pre-commit-hooks
  title: Update pre-commit hooks

diff --git a/src/data/update_pre_commit_hooks_workflow.template.yml b/src/data/update_pre_commit_hooks_workflow.template.yml
@@ -16,7 +16,6 @@ jobs:
  - run: pre-commit autoupdate
  - uses: peter-evans/create-pull-request@v6
  with:
- token: ${{ secrets.REPO_PAT }}
  commit-message: "chore: update pre-commit hooks"
  branch: update-pre-commit-hooks
  title: Update pre-commit hooks

diff --git a/src/pyseed.py b/src/pyseed.py
@@ -1031,9 +1031,8 @@ def setup_github(config: dict[ConfigKey, Any]):
  release_token = getpass(
  f"\n[https://github.com/settings/personal-access-tokens/new] "
  f"create a personal access token with 'contents:write' "
- f"and 'pull_requests:write' permissions for this project's repo "
- f"({repo_owner}/{project_name}), and enter it here "
- f"(or leave empty to skip this step): "
+ f"permission for this project's repo ({repo_owner}/{project_name})"
+ f"and enter it here (or leave empty to skip this step): "
  )
  if release_token:
  gh_secrets_manager.upload_actions_secret(