From c4e905b2fba9e10d07ef420ab918853a6398cd31 Mon Sep 17 00:00:00 2001
From: kanywst <niwatakuma@icloud.com>
Date: Wed, 3 Jun 2026 21:13:16 +0900
Subject: [PATCH 1/2] fix(ci): push automated data commits with BOT_TOKEN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The daily-update / weekly-digest jobs pushed with the default GITHUB_TOKEN
(github-actions[bot]), which the 'main' ruleset rejected ('repository rule
violations') since the bot is not a bypass actor — so no track data had been
committed since initial setup. Persist the BOT_TOKEN PAT (whose admin owner is
in the ruleset's Repository-admin bypass list) via actions/checkout instead.

This also lets the data commits trigger deploy-pages: pushes made with
GITHUB_TOKEN are suppressed by GitHub's workflow-recursion guard, so the site
previously never refreshed after a data commit.
---
 .github/workflows/daily-update.yml  | 6 ++++++
 .github/workflows/weekly-digest.yml | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/.github/workflows/daily-update.yml b/.github/workflows/daily-update.yml
index f24ea32..a636a76 100644
--- a/.github/workflows/daily-update.yml
+++ b/.github/workflows/daily-update.yml
@@ -24,6 +24,12 @@ jobs:
           # Pin to main so a workflow_dispatch from a feature branch can't
           # publish data based on non-main code (the commit still lands on main).
           ref: main
+          # Persist a PAT (admin owner) instead of GITHUB_TOKEN so the later
+          # push (a) bypasses the `main` ruleset via the Repository-admin bypass
+          # actor, and (b) triggers deploy-pages — GITHUB_TOKEN pushes are
+          # suppressed by GitHub's workflow-recursion guard, so the site would
+          # otherwise never refresh after a data commit.
+          token: ${{ secrets.BOT_TOKEN }}
       - uses: actions/setup-python@v6
         with:
           python-version: '3.12'
diff --git a/.github/workflows/weekly-digest.yml b/.github/workflows/weekly-digest.yml
index 094023e..408be82 100644
--- a/.github/workflows/weekly-digest.yml
+++ b/.github/workflows/weekly-digest.yml
@@ -24,6 +24,12 @@ jobs:
           # Pin to main so a workflow_dispatch from a feature branch can't
           # publish a digest built from non-main code.
           ref: main
+          # Persist a PAT (admin owner) instead of GITHUB_TOKEN so the later
+          # push (a) bypasses the `main` ruleset via the Repository-admin bypass
+          # actor, and (b) triggers deploy-pages — GITHUB_TOKEN pushes are
+          # suppressed by GitHub's workflow-recursion guard, so the site would
+          # otherwise never refresh after a digest commit.
+          token: ${{ secrets.BOT_TOKEN }}
       - uses: actions/setup-python@v6
         with:
           python-version: '3.12'

From f2c95891a5a297b54b230bba688e18e822ab3aa2 Mon Sep 17 00:00:00 2001
From: kanywst <niwatakuma@icloud.com>
Date: Wed, 3 Jun 2026 21:34:30 +0900
Subject: [PATCH 2/2] fix(ci): scope BOT_TOKEN to the push step, don't persist
 in checkout

Per CodeRabbit: checkout with token + default persist-credentials left the
admin PAT in .git/config for all later steps, including the repo-controlled
'make ... update' pipeline. Set persist-credentials: false and apply the PAT
inline (never written to git config) only in the commit/push step.
---
 .github/workflows/daily-update.yml  | 18 +++++++++++-------
 .github/workflows/weekly-digest.yml | 18 +++++++++++-------
 2 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/daily-update.yml b/.github/workflows/daily-update.yml
index a636a76..d5a0074 100644
--- a/.github/workflows/daily-update.yml
+++ b/.github/workflows/daily-update.yml
@@ -24,12 +24,10 @@ jobs:
           # Pin to main so a workflow_dispatch from a feature branch can't
           # publish data based on non-main code (the commit still lands on main).
           ref: main
-          # Persist a PAT (admin owner) instead of GITHUB_TOKEN so the later
-          # push (a) bypasses the `main` ruleset via the Repository-admin bypass
-          # actor, and (b) triggers deploy-pages — GITHUB_TOKEN pushes are
-          # suppressed by GitHub's workflow-recursion guard, so the site would
-          # otherwise never refresh after a data commit.
-          token: ${{ secrets.BOT_TOKEN }}
+          # Don't persist any token in .git/config: the pipeline step below runs
+          # repo/third-party code, and the admin PAT must not be readable by it.
+          # The PAT is applied inline only in the commit/push step.
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: '3.12'
@@ -41,6 +39,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: make -C tracks/${{ matrix.track }} update
       - name: Commit and push
+        env:
+          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
         run: |
           git config user.name  'github-actions[bot]'
           git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
@@ -50,8 +50,12 @@ jobs:
             exit 0
           fi
           git commit -m "chore(${{ matrix.track }}): daily update $(date -u +%Y-%m-%d)"
+          # Inline auth (never written to .git/config) with an admin PAT that the
+          # `main` ruleset bypasses; a PAT push also lets deploy-pages fire, which
+          # GITHUB_TOKEN pushes can't (workflow-recursion guard).
+          remote="https://x-access-token:${BOT_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
           for i in 1 2 3 4 5; do
-            if git pull --rebase origin main && git push origin HEAD:main; then
+            if git pull --rebase "$remote" main && git push "$remote" HEAD:main; then
               exit 0
             fi
             sleep $((i * 5))
diff --git a/.github/workflows/weekly-digest.yml b/.github/workflows/weekly-digest.yml
index 408be82..b6d6728 100644
--- a/.github/workflows/weekly-digest.yml
+++ b/.github/workflows/weekly-digest.yml
@@ -24,12 +24,10 @@ jobs:
           # Pin to main so a workflow_dispatch from a feature branch can't
           # publish a digest built from non-main code.
           ref: main
-          # Persist a PAT (admin owner) instead of GITHUB_TOKEN so the later
-          # push (a) bypasses the `main` ruleset via the Repository-admin bypass
-          # actor, and (b) triggers deploy-pages — GITHUB_TOKEN pushes are
-          # suppressed by GitHub's workflow-recursion guard, so the site would
-          # otherwise never refresh after a digest commit.
-          token: ${{ secrets.BOT_TOKEN }}
+          # Don't persist any token in .git/config: the pipeline step below runs
+          # repo/third-party code, and the admin PAT must not be readable by it.
+          # The PAT is applied inline only in the commit/push step.
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: '3.12'
@@ -41,6 +39,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: make -C tracks/${{ matrix.track }} weekly
       - name: Commit and push
+        env:
+          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
         run: |
           git config user.name  'github-actions[bot]'
           git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
@@ -50,8 +50,12 @@ jobs:
             exit 0
           fi
           git commit -m "chore(${{ matrix.track }}): weekly digest $(date -u +%Y-W%V)"
+          # Inline auth (never written to .git/config) with an admin PAT that the
+          # `main` ruleset bypasses; a PAT push also lets deploy-pages fire, which
+          # GITHUB_TOKEN pushes can't (workflow-recursion guard).
+          remote="https://x-access-token:${BOT_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
           for i in 1 2 3 4 5; do
-            if git pull --rebase origin main && git push origin HEAD:main; then
+            if git pull --rebase "$remote" main && git push "$remote" HEAD:main; then
               exit 0
             fi
             sleep $((i * 5))