Use ALLOWLIST_WORKFLOW_TOKEN and restore branch protection

.asf.yaml

@@ -21,17 +21,13 @@ github:
   features:
     issues: true
   protected_branches:
-  # revert #642
-  #  main:
-  #    required_status_checks:
-  #      # strict means "Require branches to be up to date before merging".
-  #      strict: false
-  #    required_pull_request_reviews:
-  #      dismiss_stale_reviews: false
-  #      required_approving_review_count: 1
-  #    #bypass_pull_request_allowances:
-  #    #  users:
-  #    #    - asfgit
+    main:
+      required_status_checks:
+        # strict means "Require branches to be up to date before merging".
+        strict: false
+      required_pull_request_reviews:
+        dismiss_stale_reviews: false
+        required_approving_review_count: 1
 
 notifications:
   commits: commits@infra.apache.org

.github/workflows/remove_expired.yml

@@ -40,6 +40,22 @@ jobs:
           # Use PAT so the commit triggers other actions
           token: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }}
 
+      - name: Print token details
+        if: ${{ github.event_name != 'pull_request' && secrets.ALLOWLIST_WORKFLOW_TOKEN }}
+        env:
+          GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN }}
+        run: |
+          echo "::group::Token details"
+          echo "Token user and permissions:"
+          gh api /user --jq '"Login: \(.login)\nName: \(.name)\nEmail: \(.email)"'
+          echo ""
+          echo "Token expiration:"
+          gh api /installation/token --jq '.expires_at' 2>/dev/null || echo "Token expiration not available (likely a PAT, not an installation token)"
+          echo ""
+          echo "Token scopes:"
+          curl -sS -H "Authorization: token ${GH_TOKEN}" -I https://api.github.com/ 2>/dev/null | grep -i 'x-oauth-scopes' || echo "No OAuth scopes header (fine-grained or app token)"
+          echo "::endgroup::"
+
       - run: pipx install uv
 
       - name: Clean actions.yml
@@ -55,9 +71,13 @@ jobs:
 
       - name: Commit and push changes
         if: ${{ github.event_name != 'pull_request' }}
+        env:
+          GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }}
         run: |
-          git config --local user.name "asfgit"
-          git config --local user.email "asfgit@users.noreply.github.com"
+          AUTHOR_NAME=$(gh api /user --jq '.login' 2>/dev/null || echo "asfgit")
+          AUTHOR_EMAIL=$(gh api /user --jq '.email // "\(.login)@users.noreply.github.com"' 2>/dev/null || echo "asfgit@users.noreply.github.com")
+          git config --local user.name "${AUTHOR_NAME}"
+          git config --local user.email "${AUTHOR_EMAIL}"
           git add -f actions.yml approved_patterns.yml
           git commit -m "Remove Expired Refs" -m "Generated by .github/workflows/remove_expired.yml" || echo "No changes"
           git push origin

.github/workflows/update_actions.yml

@@ -46,6 +46,23 @@ jobs:
       - uses: actions/checkout@v6.0.2
         with:
           persist-credentials: true
+          token: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }}
+
+      - name: Print token details
+        if: ${{ github.event_name != 'pull_request' && secrets.ALLOWLIST_WORKFLOW_TOKEN }}
+        env:
+          GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN }}
+        run: |
+          echo "::group::Token details"
+          echo "Token user and permissions:"
+          gh api /user --jq '"Login: \(.login)\nName: \(.name)\nEmail: \(.email)"'
+          echo ""
+          echo "Token expiration:"
+          gh api /installation/token --jq '.expires_at' 2>/dev/null || echo "Token expiration not available (likely a PAT, not an installation token)"
+          echo ""
+          echo "Token scopes:"
+          curl -sS -H "Authorization: token ${GH_TOKEN}" -I https://api.github.com/ 2>/dev/null | grep -i 'x-oauth-scopes' || echo "No OAuth scopes header (fine-grained or app token)"
+          echo "::endgroup::"
 
       - run: pipx install uv
 
@@ -62,9 +79,13 @@ jobs:
 
       - name: Commit and push changes
         if: ${{ github.event_name != 'pull_request' }}
+        env:
+          GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }}
         run: |
-          git config --local user.name "asfgit"
-          git config --local user.email "asfgit@users.noreply.github.com"
+          AUTHOR_NAME=$(gh api /user --jq '.login' 2>/dev/null || echo "asfgit")
+          AUTHOR_EMAIL=$(gh api /user --jq '.email // "\(.login)@users.noreply.github.com"' 2>/dev/null || echo "asfgit@users.noreply.github.com")
+          git config --local user.name "${AUTHOR_NAME}"
+          git config --local user.email "${AUTHOR_EMAIL}"
           git add -f actions.yml approved_patterns.yml
           git commit -m "Update actions.yml and approved_patterns.yml based on .github/workflows/dummy.yml" -m "Generated by .github/workflows/update_actions.yml" || echo "No changes"
           git push origin

.github/workflows/update_dummy.yml

@@ -47,6 +47,22 @@ jobs:
           # We have to use a PAT to commit the workflow file
           token: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }}
 
+      - name: Print token details
+        if: ${{ github.event_name != 'pull_request' && secrets.ALLOWLIST_WORKFLOW_TOKEN }}
+        env:
+          GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN }}
+        run: |
+          echo "::group::Token details"
+          echo "Token user and permissions:"
+          gh api /user --jq '"Login: \(.login)\nName: \(.name)\nEmail: \(.email)"'
+          echo ""
+          echo "Token expiration:"
+          gh api /installation/token --jq '.expires_at' 2>/dev/null || echo "Token expiration not available (likely a PAT, not an installation token)"
+          echo ""
+          echo "Token scopes:"
+          curl -sS -H "Authorization: token ${GH_TOKEN}" -I https://api.github.com/ 2>/dev/null | grep -i 'x-oauth-scopes' || echo "No OAuth scopes header (fine-grained or app token)"
+          echo "::endgroup::"
+
       - run: pipx install uv
 
       - name: Update Workflow
@@ -62,9 +78,13 @@ jobs:
 
       - name: Commit and push changes
         if: ${{ github.event_name != 'pull_request' }}
+        env:
+          GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }}
         run: |
-          git config --local user.name "asfgit"
-          git config --local user.email "asfgit@users.noreply.github.com"
+          AUTHOR_NAME=$(gh api /user --jq '.login' 2>/dev/null || echo "asfgit")
+          AUTHOR_EMAIL=$(gh api /user --jq '.email // "\(.login)@users.noreply.github.com"' 2>/dev/null || echo "asfgit@users.noreply.github.com")
+          git config --local user.name "${AUTHOR_NAME}"
+          git config --local user.email "${AUTHOR_EMAIL}"
           git add -f .github/workflows/dummy.yml approved_patterns.yml
           git commit -m "Update approved_patterns.yml and .github/workflows/dummy.yml based on actions.yml" -m "Generated by .github/workflows/update_dummy.yml" || echo "No changes"
           git push origin