Codex/fix poll nvd pr auth (#86)

* chore(gitignore): ignore auto-claude workspace dir

* fix(ci): restore github token auth for poll-nvd workflow

.github/workflows/poll-nvd-cves.yml

@@ -29,6 +29,10 @@ env:
 jobs:
   poll-and-update:
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -654,22 +658,12 @@ jobs:
           git checkout -- .github/ 2>/dev/null || true
           git clean -fd .github/ 2>/dev/null || true
 
-      - name: Require automation token for PR operations
-        if: steps.transform.outputs.new_count != '0' || steps.updates.outputs.update_count != '0'
-        env:
-          AUTOMATION_TOKEN: ${{ secrets.POLL_NVD_CVES_PAT }}
-        run: |
-          if [ -z "$AUTOMATION_TOKEN" ]; then
-            echo "::error::Set POLL_NVD_CVES_PAT with repo/workflow write permissions."
-            exit 1
-          fi
-
       - name: Create Pull Request
         if: steps.transform.outputs.new_count != '0' || steps.updates.outputs.update_count != '0'
         id: create-pr
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
-          token: ${{ secrets.POLL_NVD_CVES_PAT }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           branch: automated/nvd-cve-update-${{ github.run_id }}
           delete-branch: true
           title: "chore: CVE advisories - ${{ steps.transform.outputs.new_count }} new, ${{ steps.updates.outputs.update_count }} updated"
@@ -699,7 +693,7 @@ jobs:
       - name: Run CodeQL on generated PR branch
         if: steps.create-pr.outputs.pull-request-number != ''
         env:
-          GH_TOKEN: ${{ secrets.POLL_NVD_CVES_PAT }}
+          GH_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
 

.gitignore

@@ -1,4 +1,5 @@
 .claude
+.auto-claude/
 .codex
 _bmad
 _bmad-output