workflow: scheduled check-updates job fails due to missing PAT_TOKEN secret #2
Description
Issue body Summary The scheduled "Check for Runtime Updates" workflow fails immediately at checkout with: "Input required and not supplied: token". The workflow passes token: ${{ secrets.PAT_TOKEN }} to actions/checkout, but PAT_TOKEN is not set for the repository.
Reproduction
See failing job: https://github.com/MMeffert/aws-lambda-pyodbc-layer/actions/runs/20427545567/job/58730194377
The workflow file in this run: .github/workflows/check-updates.yml (ref: f00db7d) https://github.com/MMeffert/aws-lambda-pyodbc-layer/blob/f00db7da3f3e80408c4aa069f4dfe8c4cf26fef8/.github/workflows/check-updates.yml
Root cause actions/checkout@v4 is given an empty token input (secrets.PAT_TOKEN is not defined), causing the checkout action to error with "Input required and not supplied: token".
Proposed fixes (pick one) Option 1 — Recommended: use GITHUB_TOKEN
Remove the explicit token input so checkout uses the built-in GITHUB_TOKEN.
Add workflow permissions so GITHUB_TOKEN has push rights.
Exact changes to .github/workflows/check-updates.yml (apply to ref f00db7d)
Add permissions at top of workflow (under the workflow name): permissions: contents: write
Replace the checkout step to remove the token input:
name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 0
Option 2 — Keep PAT_TOKEN
If you prefer a PAT, create a repository secret named PAT_TOKEN with a Personal Access Token that has repo scope (write). This is less recommended for automation.
Additional recommendation (optional) Improve tag creation to handle tags with a leading "v" and avoid malformed tags. Replace the tag logic in check-updates.yml with:
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0") TAG_STR=${LATEST_TAG#v} # strip leading v if present MAJOR=$(echo
M
I
N
O
R
.
NEW_PATCH"
git tag -a "$NEW_TAG" -m "Auto-release: updated runtime versions" git push origin "$NEW_TAG"