fix: increase token scope to create PRs or sent events in other repositories (#1834)

frewilhelm · morri-son · web-flow · commit d15beb216875 · 2026-02-24T11:48:41.000+01:00
After the release action creates a release successfully, it sends an event to trigger this [workflow](https://github.com/open-component-model/ocm/blob/44e518eb1228ef2eddaac0bf71cb25941701636b/.github/workflows/publish-to-other-than-github.yaml), so the release is propagated through other repositories (website, brew) and package registries (chocolatey, ...). For the release `0.36.0` the workflow [failed](https://github.com/open-component-model/ocm/actions/runs/22340840543) for the ocm-website and homebrew-tab with an error such as ```log Error: Error creating blob for file 'Formula/ocm@0.36.0.rb': Resource not accessible by integration - https://docs.github.com/rest/git/blobs#create-a-blob ``` The `Resource not accessible by integration` indicates a permission-scope issue. A week before the workflow was run, the generation of GitHub-Tokens was [changed](001ac9f): ```diff - uses: tibdex/github-app-token@3beb63f # v2.1.0 + uses: actions/create-github-app-token@29824e6 # v2 ``` However, the `create-github-app-token` action does only grant permissions for the current repository. Accordingly, any event (website) or creation of PR (brew) will fail as these are other repositories. To resolve this, we need to set `owner: ${{ github.repository_owner }}` to create a token [for all repositories in the current owner's installation](https://github.com/actions/create-github-app-token?tab=readme-ov-file#create-a-token-for-all-repositories-in-the-current-owners-installation) (see related [discussion](https://github.com/orgs/community/discussions/69154#discussioncomment-7191057)). --------- Signed-off-by: Frederic Wilhelm <frederic.wilhelm@sap.com> Co-authored-by: Gerald Morrison <67469729+morri-son@users.noreply.github.com>
diff --git a/.github/workflows/publish-to-other-than-github.yaml b/.github/workflows/publish-to-other-than-github.yaml
@@ -30,6 +30,7 @@ jobs:
       with: # OCMBot
         app-id: ${{ secrets.OCMBOT_APP_ID }}
         private-key: ${{ secrets.OCMBOT_PRIV_KEY }}
+        owner: ${{ github.repository_owner }}
     - name: Checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
@@ -137,6 +138,7 @@ jobs:
       with: # OCMBot
         app-id: ${{ secrets.OCMBOT_APP_ID }}
         private-key: ${{ secrets.OCMBOT_PRIV_KEY }}
+        owner: ${{ github.repository_owner }}
     - name: Publish Release Event
       uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
       with:
diff --git a/.github/workflows/retrigger-publish-to-other.yaml b/.github/workflows/retrigger-publish-to-other.yaml
@@ -44,6 +44,7 @@ jobs:
       with: # OCMBot
         app-id: ${{ secrets.OCMBOT_APP_ID }}
         private-key: ${{ secrets.OCMBOT_PRIV_KEY }}
+        owner: ${{ github.repository_owner }}
     - name: Ensure proper version
       run: |
         curl -sSL -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ steps.generate_token.outputs.token }}" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/open-component-model/ocm/releases > releases.json
