fix(ci): push automated data commits with BOT_TOKEN

[kanywst]

Problem

daily-update / weekly-digest have been firing on schedule but failing every run — no track data has been committed since the initial setup (2026-05-17).

Root cause from the run logs:

! [remote rejected] HEAD -> main (push declined due to repository rule violations)
remote: - 7 of 7 required status checks are expected.

The jobs pushed with the default GITHUB_TOKEN (github-actions[bot]), which the main ruleset rejects because the bot is not a bypass actor.

Fix

Persist the BOT_TOKEN PAT via actions/checkout instead of GITHUB_TOKEN. The PAT's owner is an admin, which is in the ruleset's Repository-admin bypass list, so the push is allowed.

Bonus: pushes made with GITHUB_TOKEN are suppressed by GitHub's workflow-recursion guard, so the data commits previously never triggered deploy-pages and the site went stale. A PAT push does trigger it, so the site now auto-refreshes after each data commit.

Verify after merge

workflow_dispatch of daily-update → confirm the push lands on main and deploy-pages fires.

Summary by CodeRabbit

• Chores
  • Updated automated workflow configurations to enhance reliability of routine update and deployment processes.

[coderabbitai]

Warning

Review limit reached

@kanywst, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 39 minutes and 55 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2e8f56f3-e924-4be6-a873-21162e4f1f81

📥 Commits

Reviewing files that changed from the base of the PR and between 2d77e28 and f2c9589.

📒 Files selected for processing (2)

• .github/workflows/daily-update.yml
• .github/workflows/weekly-digest.yml

📝 Walkthrough

Walkthrough

Two GitHub Actions workflows (daily-update and weekly-digest) are updated to authenticate checkout operations using a persisted personal access token (secrets.BOT_TOKEN) instead of the default GITHUB_TOKEN. Both changes include explanatory comments about bypassing branch rulesets and ensuring deploy-pages triggering.

Changes

Workflow bot token migration

Layer / File(s)	Summary
Bot token checkout configuration .github/workflows/daily-update.yml, .github/workflows/weekly-digest.yml	Both workflows update their actions/checkout steps to use token: ${{ secrets.BOT_TOKEN }} with inline comments explaining the bot token persists authentication to bypass main ruleset restrictions via the repository-admin bypass actor, and to ensure deploy-pages is triggered after commits while avoiding GitHub's workflow-recursion suppression.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 The Bot hops in with token in hand,
To checkout workflows across the land,
Bypassing rulesets with admin flair,
While deploy-pages refreshes with care! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: updating CI workflows to use BOT_TOKEN for automated data commits instead of the default GITHUB_TOKEN.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/automation-push-token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/daily-update.yml:
- Around line 27-32: The checkout step is leaving the high-privilege BOT_TOKEN
in the job git config; update the actions/checkout invocation(s) that currently
use token: ${{ secrets.BOT_TOKEN }} to set persist-credentials: false, and then
in the commit/push section add an explicit authenticated remote (or re-run
actions/checkout with the BOT_TOKEN just before pushing) so the PAT is only
configured right before git push; target the actions/checkout entries and the
push step that references token: ${{ secrets.BOT_TOKEN }} and ensure the PAT is
not persisted across earlier steps.

In @.github/workflows/weekly-digest.yml:
- Around line 27-32: The checkout step using actions/checkout@v6 currently
passes token: ${{ secrets.BOT_TOKEN }} which causes the admin PAT to be
persisted; update the checkout step to add persist-credentials: false so
credentials are not kept for the remainder of the job, and then modify the
"Commit and push" step to explicitly authenticate (e.g., set GIT_AUTH or use a
separate checkout/push action) only at push time using secrets.BOT_TOKEN; ensure
you reference actions/checkout@v6, persist-credentials: false, and the "Commit
and push" step when making the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7d965399-b760-4574-8fd0-4f9ba643319f

📥 Commits

Reviewing files that changed from the base of the PR and between 478d484 and 2d77e28.

📒 Files selected for processing (2)

• .github/workflows/daily-update.yml
• .github/workflows/weekly-digest.yml

[kanywst]

Addressed in f2c9589: set persist-credentials: false on checkout and apply the admin PAT inline (never written to .git/config) only in the commit/push step, so the pipeline step no longer has access to it.