From e6f05775734f0ce676a4dbea795e1140f1d7ad75 Mon Sep 17 00:00:00 2001
From: Claude <adityamaru@gmail.com>
Date: Wed, 19 Nov 2025 16:48:23 -0500
Subject: [PATCH] Fix workflow permissions issue properly

- Remove invalid 'workflows' permission (doesn't exist in GitHub Actions)
- Use WORKFLOW_TOKEN (PAT) for operations that modify workflow files
- Fall back to GITHUB_TOKEN if PAT not configured
- Add setup documentation for creating Personal Access Token

The GITHUB_TOKEN cannot push changes to workflow files by design.
When patches include workflow modifications, a PAT with workflow
scope is required.
---
 .github/workflows/rebase-upstream.yml         |  3 +--
 .github/workflows/release-patched-version.yml |  3 +--
 DEPLOYMENT.md                                 | 10 ++++++++++
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/rebase-upstream.yml b/.github/workflows/rebase-upstream.yml
index 38af44d214b0..abd12c970a57 100644
--- a/.github/workflows/rebase-upstream.yml
+++ b/.github/workflows/rebase-upstream.yml
@@ -9,7 +9,6 @@ on:
 permissions:
   contents: write
   issues: write
-  workflows: write
 
 jobs:
   rebase:
@@ -19,7 +18,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.WORKFLOW_TOKEN || secrets.GITHUB_TOKEN }}
 
       - name: Setup git
         run: |
diff --git a/.github/workflows/release-patched-version.yml b/.github/workflows/release-patched-version.yml
index ec0ecef3a9df..603a186df3d2 100644
--- a/.github/workflows/release-patched-version.yml
+++ b/.github/workflows/release-patched-version.yml
@@ -15,7 +15,6 @@ on:
 
 permissions:
   contents: write
-  workflows: write
 
 jobs:
   create-patched-release:
@@ -29,7 +28,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.WORKFLOW_TOKEN || secrets.GITHUB_TOKEN }}
 
       - name: Setup git
         run: |
diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
index ebe3478cf51f..1a65fb175f1f 100644
--- a/DEPLOYMENT.md
+++ b/DEPLOYMENT.md
@@ -4,6 +4,16 @@
 
 This fork maintains patches on top of upstream BuildKit using a rebase workflow. Our `master` branch contains upstream BuildKit plus our custom patches rebased on top.
 
+## Setup Requirements
+
+If your patches modify workflow files (`.github/workflows/*.yml`), you need to create a Personal Access Token:
+
+1. Go to GitHub Settings > Developer settings > Personal access tokens
+2. Create a new token with `repo` and `workflow` scopes
+3. Add it as a secret named `WORKFLOW_TOKEN` in your repository settings
+
+Without this token, the workflows will fall back to using `GITHUB_TOKEN`, which cannot push workflow changes.
+
 ## Creating a Patched Release
 
 To deploy a patched version of BuildKit: