From 8132c23f41f11ae7949072cd8f3fcaaac461d9b8 Mon Sep 17 00:00:00 2001
From: davida-ps <david.a@prompt.security>
Date: Thu, 26 Feb 2026 00:37:50 +0200
Subject: [PATCH] Codex/wiki sync revert working (#79)

* fix(wiki-sync): restore known-good pat auth flow

* fix(wiki-sync): restore github token write flow
---
 .github/workflows/wiki-sync.yml | 34 ++++-----------------------------
 1 file changed, 4 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/wiki-sync.yml b/.github/workflows/wiki-sync.yml
index 8c303d1..9845678 100644
--- a/.github/workflows/wiki-sync.yml
+++ b/.github/workflows/wiki-sync.yml
@@ -7,7 +7,8 @@ on:
       - 'wiki/**'
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: write
 
 concurrency:
   group: wiki-sync
@@ -22,7 +23,7 @@ jobs:
 
       - name: Sync wiki folder to repository wiki
         env:
-          AUTOMATION_TOKEN: ${{ secrets.POLL_NVD_CVES_PAT }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -euo pipefail
 
@@ -31,11 +32,6 @@ jobs:
             exit 1
           fi
 
-          if [ -z "$AUTOMATION_TOKEN" ]; then
-            echo "::error::Set POLL_NVD_CVES_PAT with repo write permissions."
-            exit 1
-          fi
-
           # GitHub Wiki root (/wiki) renders Home.md, not INDEX.md.
           # INDEX.md is the canonical source; generate Home.md from it.
           if [ ! -f wiki/INDEX.md ]; then
@@ -44,29 +40,7 @@ jobs:
           fi
           cp wiki/INDEX.md wiki/Home.md
 
-          REPO_API_JSON="$(mktemp)"
-          REPO_API_STATUS="$(curl -sS -o "$REPO_API_JSON" -w "%{http_code}" -H "Authorization: Bearer ${AUTOMATION_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${{ github.repository }}")"
-          if [ "$REPO_API_STATUS" = "401" ]; then
-            echo "::error::POLL_NVD_CVES_PAT is invalid/expired, or not SSO-authorized for this org."
-            exit 1
-          fi
-          if [ "$REPO_API_STATUS" = "404" ]; then
-            echo "::error::POLL_NVD_CVES_PAT cannot access ${{ github.repository }}."
-            exit 1
-          fi
-          if [ "$REPO_API_STATUS" != "200" ]; then
-            REPO_API_MESSAGE="$(jq -r '.message // empty' "$REPO_API_JSON" || true)"
-            echo "::error::Unexpected GitHub API response (${REPO_API_STATUS}) while validating token. ${REPO_API_MESSAGE}"
-            exit 1
-          fi
-
-          REPO_PUSH_PERMISSION="$(jq -r '.permissions.push // false' "$REPO_API_JSON" || true)"
-          if [ "$REPO_PUSH_PERMISSION" != "true" ]; then
-            echo "::error::POLL_NVD_CVES_PAT cannot push to ${{ github.repository }}. Grant Contents: write (fine-grained PAT) or repo scope (classic PAT), and ensure org approval/SSO authorization if required."
-            exit 1
-          fi
-
-          WIKI_REMOTE="https://x-access-token:${AUTOMATION_TOKEN}@github.com/${{ github.repository }}.wiki.git"
+          WIKI_REMOTE="https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.wiki.git"
           if ! git ls-remote "$WIKI_REMOTE" >/dev/null 2>&1; then
             echo "::warning::Wiki remote unavailable (repository wiki may be disabled). Skipping sync."
             exit 0