fix(ci): use built-in GITHUB_TOKEN for Release instead of PAT

[matt-evervault]

Problem

Every Release run fails at the actions/checkout step:

fatal: could not read Username for 'https://github.com': terminal prompts disabled

The workflow checks out with token: ${{ secrets.GH_TOKEN }}, and that PAT is no longer a valid credential (rotation didn't resolve it). The run-tests/e2e workflows pass on the same commits because they use the default GitHub-generated token.

Change

Applying the review suggestion: drop the PAT and use the token GitHub generates, granting the job only the permissions it needs.

• Add a job-level permissions block: contents: write (push tags / version commits / create release) and pull-requests: write (changesets opens the "New Release" PR).
• Remove token: from checkout so it uses the default github.token.
• Point the changesets action env and the gh auth login in the release step at ${{ secrets.GITHUB_TOKEN }}.

Tradeoff

Commits/PRs created with the built-in GITHUB_TOKEN do not trigger downstream workflows. So the changesets "New Release" PR won't auto-run run-tests/e2e — they'll run once a human pushes to or merges that branch. This is the documented changesets reason a PAT is sometimes used; the review accepts it.

Verification

Merging to master triggers Release; getting past checkout (where every prior run died) confirms the fix.

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: fd90d71

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR