From 4da275be14b3acef96a3e20758beb440e677fdbf Mon Sep 17 00:00:00 2001
From: Kaiyue Jiang <kjiang@augmentcode.com>
Date: Fri, 24 Apr 2026 16:20:06 -0700
Subject: [PATCH] fix(ci): use VARIABLES_WRITE_TOKEN for V1_LATEST_TAG update

Remove the invalid 'variables: write' permission (no such permission exists
in GitHub Actions) and switch the V1_LATEST_TAG update step to use
secrets.VARIABLES_WRITE_TOKEN instead of the default github.token, which
cannot modify repository Actions variables.

Requires VARIABLES_WRITE_TOKEN to be configured as a fine-grained PAT
scoped to augmentcode/auggie with Metadata: read and Variables: read/write.
---
 .github/workflows/bun-compile.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/bun-compile.yml b/.github/workflows/bun-compile.yml
index 4bb6c6b..036eef2 100644
--- a/.github/workflows/bun-compile.yml
+++ b/.github/workflows/bun-compile.yml
@@ -126,7 +126,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
-      variables: write
     steps:
       - name: Download all artifacts
         uses: actions/download-artifact@v4
@@ -163,7 +162,7 @@ jobs:
       - name: Update V1_LATEST_TAG variable
         if: ${{ !contains(inputs.version || github.event.client_payload.version, 'prerelease') }}
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.VARIABLES_WRITE_TOKEN }}
           VERSION: ${{ inputs.version || github.event.client_payload.version }}
         run: |
           gh api --method PATCH "repos/${{ github.repository }}/actions/variables/V1_LATEST_TAG" \