From 5f7613ddacc91a101781e0ab67d593fd45341d19 Mon Sep 17 00:00:00 2001
From: Cobb <cobb@sulkta.com>
Date: Fri, 17 Apr 2026 11:35:29 -0700
Subject: [PATCH] ci(upstream-sync): use write-scoped PAT for push; make notify
 best-effort
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Run 90 hit two problems in sequence:

1. Built-in $GITEA_TOKEN is read-only by default in Gitea Actions, so
   'git push origin main' 404'd ('failed to push some refs'). Swapped
   to a new GIT_PUSH_TOKEN repo secret (admin-scoped PAT) which the
   checkout action uses when wiring the authenticated remote.

2. None of our bot accounts are currently in the Infra Matrix room, so
   the notification POST would 403 and fail the whole run. Made that
   step continue-on-error — the sync is the critical path; a missed
   ping is recoverable (check Actions UI, invite a bot later, etc).
---
 .gitea/workflows/upstream-sync.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/upstream-sync.yml b/.gitea/workflows/upstream-sync.yml
index 1fe9d1adfe..69d1d668d2 100644
--- a/.gitea/workflows/upstream-sync.yml
+++ b/.gitea/workflows/upstream-sync.yml
@@ -32,8 +32,10 @@ jobs:
           ref: main
           fetch-depth: 0
           lfs: false
-          # Built-in token Gitea hands us — scoped to this repo, has push.
-          token: ${{ secrets.GITEA_TOKEN }}
+          # Gitea's built-in GITEA_TOKEN is read-only by default.
+          # GIT_PUSH_TOKEN is a repo secret with a write-scoped PAT, so
+          # the subsequent `git push origin main` actually lands.
+          token: ${{ secrets.GIT_PUSH_TOKEN }}
 
       - name: Fetch upstream + wallet
         run: |
@@ -84,7 +86,11 @@ jobs:
           echo "wallet is $BEHIND commits behind main now; $NEW_ADDED new upstream commits this run"
 
       - name: Matrix notification (Infra room)
+        # Best-effort — if the target bot isn't in the room or Matrix is
+        # flapping, don't fail the whole run. The advance + push is the
+        # critical path; notify is a convenience ping.
         if: steps.ff.outputs.advanced == 'true'
+        continue-on-error: true
         env:
           MATRIX_TOKEN: ${{ secrets.MATRIX_HOUSE_BOT_TOKEN }}
         run: |