From 8cffedd2a9d2686c51b59f45c649288f6db17ded Mon Sep 17 00:00:00 2001
From: rob thijssen <grenade@rob.tn>
Date: Fri, 24 Apr 2026 11:10:29 +0300
Subject: [PATCH] fix(ci): use PAT for workflow dispatch in poll-upstream

The automatic GITEA_TOKEN cannot trigger other workflows. Use a
dedicated DISPATCH_TOKEN secret (personal access token with
repository read/write scope) instead.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/poll-upstream.yml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.gitea/workflows/poll-upstream.yml b/.gitea/workflows/poll-upstream.yml
index 892f5ac..baee06f 100644
--- a/.gitea/workflows/poll-upstream.yml
+++ b/.gitea/workflows/poll-upstream.yml
@@ -5,9 +5,6 @@ on:
     - cron: "*/1 * * * *"
   workflow_dispatch: {}
 
-permissions:
-  actions: write
-
 jobs:
   check:
     runs-on: fedora
@@ -50,7 +47,7 @@ jobs:
         run: |
           curl --fail --silent --show-error --location \
             --request POST \
-            --header "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
+            --header "Authorization: token ${{ secrets.DISPATCH_TOKEN }}" \
             --header 'Accept: application/json' \
             --url "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/actions/workflows/build-release.yml/dispatches" \
             --data "{\"ref\":\"main\",\"inputs\":{\"tag\":\"${{ steps.upstream.outputs.tag }}\"}}"