Make sure we use a PAT with the right permissions for GitHub API calls in the workflow

rafaelfranca · rafaelfranca · commit 7b18a23d9ab7 · 2026-03-17T04:05:42.000Z
diff --git a/.github/workflows/check-ruby-versions.yaml b/.github/workflows/check-ruby-versions.yaml
@@ -26,7 +26,7 @@ jobs:
       - name: Check for new versions and create PR
         id: check-and-create
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RUBY_AUTOMATION_PAT }}
         run: bin/check-and-create-pr
 
       - name: Annotate new versions added
@@ -42,7 +42,7 @@ jobs:
       - name: Enable auto-merge
         if: steps.check-and-create.outputs.pr_created == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.RUBY_AUTOMATION_PAT }}
         run: |
           echo "Enabling auto-merge for PR #${{ steps.check-and-create.outputs.pr_number }}..."
           gh pr merge ${{ steps.check-and-create.outputs.pr_number }} --auto --squash
diff --git a/lib/ruby_version_pr_creator.rb b/lib/ruby_version_pr_creator.rb
@@ -115,11 +115,15 @@ def validate_prerequisites!
       raise Error, "Git is not installed or not in PATH."
     end
 
-    # Verify we can authenticate with GitHub
+    # Verify we can authenticate with GitHub and access this repository
     begin
-      github_client.user
+      github_client.repository(repository)
     rescue Octokit::Unauthorized
       raise Error, "GitHub API authentication failed. Check your token."
+    rescue Octokit::Forbidden
+      raise Error, "GitHub API access forbidden for repository #{repository}. Check token permissions."
+    rescue Octokit::NotFound
+      raise Error, "GitHub repository not found or inaccessible: #{repository}."
     rescue Octokit::Error => e
       raise Error, "GitHub API error: #{e.message}"
     end
diff --git a/test/ruby_version_pr_creator_test.rb b/test/ruby_version_pr_creator_test.rb
@@ -162,8 +162,8 @@ def stub_git_operations(creator)
   end
 
   def stub_github_api_success
-    stub_request(:get, "https://api.github.com/user")
-      .to_return(status: 200, body: JSON.generate({ login: "test-user" }), headers: json_headers)
+    stub_request(:get, "https://api.github.com/repos/rails/devcontainer")
+      .to_return(status: 200, body: JSON.generate({ full_name: "rails/devcontainer" }), headers: json_headers)
 
     stub_request(:get, "https://api.github.com/repos/rails/devcontainer/pulls?state=open")
       .to_return(status: 200, body: JSON.generate([]), headers: json_headers)
@@ -180,12 +180,12 @@ def stub_github_api_success
   end
 
   def stub_github_api_unauthorized
-    stub_request(:get, "https://api.github.com/user").to_return(status: 401)
+    stub_request(:get, "https://api.github.com/repos/rails/devcontainer").to_return(status: 401)
   end
 
   def stub_github_api_with_existing_pr
-    stub_request(:get, "https://api.github.com/user")
-      .to_return(status: 200, body: JSON.generate({ login: "test-user" }), headers: json_headers)
+    stub_request(:get, "https://api.github.com/repos/rails/devcontainer")
+      .to_return(status: 200, body: JSON.generate({ full_name: "rails/devcontainer" }), headers: json_headers)
 
     stub_request(:get, "https://api.github.com/repos/rails/devcontainer/pulls?state=open")
       .to_return(
