Merge pull request #16 from useblacksmith/fix-workflow-permissions-properly

Fix: Properly handle workflow file modifications in releases

Author: adityamaru

.github/workflows/rebase-upstream.yml

@@ -9,7 +9,6 @@ on:
 permissions:
   contents: write
   issues: write
-  workflows: write
 
 jobs:
   rebase:
@@ -19,7 +18,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.WORKFLOW_TOKEN || secrets.GITHUB_TOKEN }}
 
       - name: Setup git
         run: |

.github/workflows/release-patched-version.yml

@@ -15,7 +15,6 @@ on:
 
 permissions:
   contents: write
-  workflows: write
 
 jobs:
   create-patched-release:
@@ -29,7 +28,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.WORKFLOW_TOKEN || secrets.GITHUB_TOKEN }}
 
       - name: Setup git
         run: |

DEPLOYMENT.md

@@ -4,6 +4,16 @@
 
 This fork maintains patches on top of upstream BuildKit using a rebase workflow. Our `master` branch contains upstream BuildKit plus our custom patches rebased on top.
 
+## Setup Requirements
+
+If your patches modify workflow files (`.github/workflows/*.yml`), you need to create a Personal Access Token:
+
+1. Go to GitHub Settings > Developer settings > Personal access tokens
+2. Create a new token with `repo` and `workflow` scopes
+3. Add it as a secret named `WORKFLOW_TOKEN` in your repository settings
+
+Without this token, the workflows will fall back to using `GITHUB_TOKEN`, which cannot push workflow changes.
+
 ## Creating a Patched Release
 
 To deploy a patched version of BuildKit: