From 60aed7d59529531ad6c353b89722223daef9a701 Mon Sep 17 00:00:00 2001
From: Barrett Ruth <br.barrettruth@gmail.com>
Date: Fri, 20 Feb 2026 20:35:07 -0500
Subject: [PATCH] ci: use PUSH_TOKEN for docgen push to bypass branch rules

Problem: the docgen workflow pushes to main using GITHUB_TOKEN, which
authenticates as github-actions[bot]. The bot cannot bypass repository
rulesets on personal repos, so the push is rejected by required PR,
status check, and signature rules.

Solution: prefer a PUSH_TOKEN secret (a PAT authenticated as the repo
admin, who has bypass permissions) with fallback to GITHUB_TOKEN so
the workflow does not break before the secret is created.
---
 .github/workflows/tests.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 17474fa..751a491 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -87,7 +87,7 @@ jobs:
       - name: Commit changes
         if: ${{ github.ref == 'refs/heads/main' }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.PUSH_TOKEN || secrets.GITHUB_TOKEN }}
           COMMIT_MSG: |
             [docgen] Update docs
             skip-checks: true