fix(ci): use gh api for release creation to fix workflow scope error

JOY · claude · JOY · commit d9ce4b409c60 · 2026-02-25T11:35:30.000+07:00
gh release create in Actions fails with "workflow scope may be required"
even with a PAT that has workflow scope. Switch to gh api direct call
which bypasses gh CLI's token resolution issues. Also remove GITHUB_TOKEN
fallback to fail early if GH_PAT is not set.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/sync-upstream.yml b/.github/workflows/sync-upstream.yml
@@ -135,20 +135,34 @@ jobs:
       - name: Create release
         if: steps.target.outputs.skip == 'false' && steps.merge.outputs.result == 'success'
         env:
-          GH_TOKEN: ${{ secrets.GH_PAT || secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
         run: |
           TAG="${{ steps.target.outputs.tag }}"
+
+          # Verify PAT is available (not falling back to GITHUB_TOKEN)
+          if [ -z "$GH_TOKEN" ]; then
+            echo "::error::GH_PAT secret is not set. Cannot create release without workflow scope."
+            exit 1
+          fi
+
           # Delete existing release if any (from upstream fork sync)
-          gh release delete "$TAG" --yes 2>/dev/null || true
-          gh release create "$TAG" \
-            --title "DOScan $TAG" \
-            --notes "Synced from upstream [blockscout/blockscout $TAG](https://github.com/blockscout/blockscout/releases/tag/$TAG)" \
-            --latest
+          RELEASE_ID=$(gh api "repos/${{ github.repository }}/releases/tags/$TAG" --jq '.id' 2>/dev/null || true)
+          if [ -n "$RELEASE_ID" ]; then
+            echo "Deleting existing release $RELEASE_ID for $TAG"
+            gh api -X DELETE "repos/${{ github.repository }}/releases/$RELEASE_ID" 2>/dev/null || true
+          fi
+
+          # Create release via API (more reliable than gh release create in Actions)
+          gh api "repos/${{ github.repository }}/releases" \
+            -f tag_name="$TAG" \
+            -f name="DOScan $TAG" \
+            -f body="Synced from upstream [blockscout/blockscout $TAG](https://github.com/blockscout/blockscout/releases/tag/$TAG)" \
+            -F make_latest=true
 
       - name: Create PR on conflict
         if: steps.target.outputs.skip == 'false' && steps.merge.outputs.result == 'conflict'
         env:
-          GH_TOKEN: ${{ secrets.GH_PAT || secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
         run: |
           TAG="${{ steps.target.outputs.tag }}"
           BRANCH="sync-upstream-${TAG}"
