From ba06f7078af69fdba2184186ca5cc53c65427ea2 Mon Sep 17 00:00:00 2001
From: Andrey Avtomonov <andreybavt@gmail.com>
Date: Sat, 30 May 2026 16:01:47 +0200
Subject: [PATCH] ci: push star-history refresh to protected main with
 RELEASE_PAT (#239)

The scheduled star-history workflow checked out with the default
GITHUB_TOKEN, so its git push to main was rejected by the branch
protection hook (GH006). Check out with RELEASE_PAT instead, matching
release.yml, whose semantic-release step already pushes to the protected
main branch with the same token.
---
 .github/workflows/star-history.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/star-history.yml b/.github/workflows/star-history.yml
index ec484b05..e67a0517 100644
--- a/.github/workflows/star-history.yml
+++ b/.github/workflows/star-history.yml
@@ -25,6 +25,10 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          # RELEASE_PAT can push to the protected main branch; the default
+          # GITHUB_TOKEN is rejected by the branch-protection hook (GH006).
+          token: ${{ secrets.RELEASE_PAT }}
 
       - name: Fetch fresh star-history SVG
         run: |