From 356a73b628f36b8f5fb34619e78e55255995a94e Mon Sep 17 00:00:00 2001 From: emersonfras Date: Mon, 30 Mar 2026 12:57:54 -0400 Subject: [PATCH 1/4] fix: use PR_TOKEN for tag-scan workflow PR creation and push --- .github/workflows/weekly-tag-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/weekly-tag-scan.yml b/.github/workflows/weekly-tag-scan.yml index 5298b80..a6d9e1e 100644 --- a/.github/workflows/weekly-tag-scan.yml +++ b/.github/workflows/weekly-tag-scan.yml @@ -25,7 +25,7 @@ jobs: - name: Checkout uses: actions/checkout@v6 with: - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.PR_TOKEN }} - name: Set up Node uses: actions/setup-node@v6 @@ -43,7 +43,7 @@ jobs: - name: Compute new tags and manage PR env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.PR_TOKEN }} run: | # Collect lines added vs main (new tags). # grep '^+[^+]' captures added lines but not the '+++' diff header. From c09aa80c72410564a9500f98ecf43903c6e3d76c Mon Sep 17 00:00:00 2001 From: emersonfras Date: Mon, 30 Mar 2026 13:02:43 -0400 Subject: [PATCH 2/4] Stash tag-export changes before checking out existing tag-scan/auto branch --- .github/workflows/weekly-tag-scan.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/weekly-tag-scan.yml b/.github/workflows/weekly-tag-scan.yml index a6d9e1e..836b939 100644 --- a/.github/workflows/weekly-tag-scan.yml +++ b/.github/workflows/weekly-tag-scan.yml @@ -93,7 +93,9 @@ jobs: # any contributor commits. Otherwise create it fresh from main. if git ls-remote --exit-code origin tag-scan/auto > /dev/null 2>&1; then git fetch origin tag-scan/auto + git stash git checkout tag-scan/auto + git stash pop else git checkout -b tag-scan/auto fi From 6a1fb371159f3fb00f9406cfab956a5af454dd8e Mon Sep 17 00:00:00 2001 From: emersonfras Date: Mon, 30 Mar 2026 13:25:01 -0400 Subject: [PATCH 3/4] Document PR_TOKEN secret requirement for tag scan workflow --- README.md | 2 ++ docs/tag-grouping-process.md | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/README.md b/README.md index bbad68c..d9a410d 100644 --- a/README.md +++ b/README.md @@ -96,6 +96,8 @@ Tags from GitHub topics and Hugging Face card metadata are free-form text, so th When first setting up your catalog, run the export script to generate a full list of your organization's current raw tags (saved to `scripts/tag-export.txt`), then use that list to build your initial `tag-groups.js`. A weekly GitHub Actions workflow will automatically open a pull request whenever 5 or more new tags (relative to the last committed baseline in `scripts/tag-export.txt`) are detected, keeping your tag groups up to date over time. +> **Required secret:** The weekly tag scan workflow requires a fine-grained PAT stored as a repository secret named `PR_TOKEN` (Settings → Secrets and variables → Actions). The PAT must have **Contents: Read and write** and **Pull requests: Read and write** permissions on the catalog repo. + See **[docs/tag-grouping-process.md](docs/tag-grouping-process.md)** for full setup instructions, conventions, and guidance on using AI assistance for the initial grouping pass. ## Local Testing diff --git a/docs/tag-grouping-process.md b/docs/tag-grouping-process.md index 4ef3b4c..bc2b18e 100644 --- a/docs/tag-grouping-process.md +++ b/docs/tag-grouping-process.md @@ -71,6 +71,10 @@ the GitHub and Hugging Face APIs, diffs them against the committed baseline in `scripts/tag-export.txt`, and opens (or updates) a pull request titled **`[Tag Scan] New tags detected — review tag-groups.js`** whenever 5 or more new tags appear. +> **Prerequisite:** The workflow requires a fine-grained PAT stored as a repository secret named +> `PR_TOKEN` with **Contents: Read and write** and **Pull requests: Read and write** permissions. +> Without it, the workflow will find new tags but fail when attempting to open the PR. + You should update `public/tag-groups.js` when that PR is opened or updated. --- From 7c51243e6a63bf770c562355a9277b5f08b4c9b1 Mon Sep 17 00:00:00 2001 From: emersonfras Date: Mon, 30 Mar 2026 13:51:56 -0400 Subject: [PATCH 4/4] Revert checkout to GITHUB_TOKEN, scope PR_TOKEN to PR creation only --- .github/workflows/weekly-tag-scan.yml | 2 +- README.md | 2 +- docs/tag-grouping-process.md | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/weekly-tag-scan.yml b/.github/workflows/weekly-tag-scan.yml index 836b939..4e69b12 100644 --- a/.github/workflows/weekly-tag-scan.yml +++ b/.github/workflows/weekly-tag-scan.yml @@ -25,7 +25,7 @@ jobs: - name: Checkout uses: actions/checkout@v6 with: - token: ${{ secrets.PR_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} - name: Set up Node uses: actions/setup-node@v6 diff --git a/README.md b/README.md index d9a410d..37d4965 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ Tags from GitHub topics and Hugging Face card metadata are free-form text, so th When first setting up your catalog, run the export script to generate a full list of your organization's current raw tags (saved to `scripts/tag-export.txt`), then use that list to build your initial `tag-groups.js`. A weekly GitHub Actions workflow will automatically open a pull request whenever 5 or more new tags (relative to the last committed baseline in `scripts/tag-export.txt`) are detected, keeping your tag groups up to date over time. -> **Required secret:** The weekly tag scan workflow requires a fine-grained PAT stored as a repository secret named `PR_TOKEN` (Settings → Secrets and variables → Actions). The PAT must have **Contents: Read and write** and **Pull requests: Read and write** permissions on the catalog repo. +> **Required secret:** The weekly tag scan workflow requires a fine-grained PAT stored as a repository secret named `PR_TOKEN` (Settings → Secrets and variables → Actions). The PAT must have **Pull requests: Read and write** permission on the catalog repo. See **[docs/tag-grouping-process.md](docs/tag-grouping-process.md)** for full setup instructions, conventions, and guidance on using AI assistance for the initial grouping pass. diff --git a/docs/tag-grouping-process.md b/docs/tag-grouping-process.md index bc2b18e..e1277d6 100644 --- a/docs/tag-grouping-process.md +++ b/docs/tag-grouping-process.md @@ -72,8 +72,8 @@ the GitHub and Hugging Face APIs, diffs them against the committed baseline in **`[Tag Scan] New tags detected — review tag-groups.js`** whenever 5 or more new tags appear. > **Prerequisite:** The workflow requires a fine-grained PAT stored as a repository secret named -> `PR_TOKEN` with **Contents: Read and write** and **Pull requests: Read and write** permissions. -> Without it, the workflow will find new tags but fail when attempting to open the PR. +> `PR_TOKEN` with **Pull requests: Read and write** permission. Without it, the workflow will find +> new tags and push the branch successfully, but fail when attempting to open the PR. You should update `public/tag-groups.js` when that PR is opened or updated.