@@ -206,16 +206,34 @@ jobs:
206206name : Commit and push promotion branch
207207 if : steps.manifest-diff.outputs.has_changes == 'true'
208208 env :
209- PUSH_TOKEN : ${{ github.token }}
209+ PUSH_BUILTIN_TOKEN : ${{ github.token }}
210+ PR_PAT : ${{ secrets.PR_PAT }}
211+ READ_PAT : ${{ secrets.READ_PAT }}
212+ CR_PAT : ${{ secrets.CR_PAT }}
210213 PR_BRANCH : ${{ steps.source-run.outputs.pr_branch }}
211214 SOURCE_SHA : ${{ steps.source-run.outputs.source_sha }}
212215 run : |
213216 set -euo pipefail
214217
218+ push_token="${PUSH_BUILTIN_TOKEN}"
219+ if [[ "${TARGET_REPO}" != "${HEAD_REPO}" ]]; then
220+ push_token="${PR_PAT}"
221+ if [[ -z "${push_token}" ]]; then
222+ push_token="${READ_PAT}"
223+ fi
224+ if [[ -z "${push_token}" ]]; then
225+ push_token="${CR_PAT}"
226+ fi
227+ if [[ -z "${push_token}" ]]; then
228+ echo "A token with contents and workflows write access is required when pushing a cross-repo promotion branch to ${HEAD_REPO}" >&2
229+ exit 1
230+ fi
231+ fi
232+
215233 git config user.name "github-actions[bot]"
216234 git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
217235 git remote rename origin upstream
218- git remote add origin "https://x-access-token:${PUSH_TOKEN }@github.com/${HEAD_REPO}.git"
236+ git remote add origin "https://x-access-token:${push_token }@github.com/${HEAD_REPO}.git"
219237 git checkout -B "${PR_BRANCH}"
220238 git add tools/nsc/manifests
221239 git commit -m "Promote NSC channel ${SOURCE_SHA}"
0 commit comments