Authenticate governance evidence repo checkouts with WORKFLOW_PAT

The Canonical Governance workflow checked out the private pulse-pro,
pulse-enterprise, and pulse-mobile evidence repos with the default
workflow token, which cannot see other private repos, so every run
failed at the pulse-pro checkout. Use the existing WORKFLOW_PAT
secret (already used by create-release.yml to dispatch private Pro
workflows) and avoid persisting the credential in the checkout.
This commit is contained in:
rcourtman 2026-07-07 22:32:25 +01:00
parent c6fdd9058c
commit 6f5771d973

View file

@ -25,6 +25,8 @@ jobs:
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
repository: rcourtman/pulse-pro
token: ${{ secrets.WORKFLOW_PAT }}
persist-credentials: false
fetch-depth: 1
path: .governance/repos/pulse-pro
@ -32,6 +34,8 @@ jobs:
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
repository: rcourtman/pulse-enterprise
token: ${{ secrets.WORKFLOW_PAT }}
persist-credentials: false
fetch-depth: 1
path: .governance/repos/pulse-enterprise
@ -39,6 +43,8 @@ jobs:
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
repository: rcourtman/pulse-mobile
token: ${{ secrets.WORKFLOW_PAT }}
persist-credentials: false
fetch-depth: 1
path: .governance/repos/pulse-mobile