Use PAT for cross-repo tag creation in python-sdk workflow

[Copilot]

The fern-api step pushes commits to vectara/python-sdk but fails to create tags due to insufficient GITHUB_TOKEN permissions for cross-repository operations.

Changes

• Added permissions: contents: write to grant tag creation rights
• Added checkout step with PAT to authenticate against vectara/python-sdk:

  - name: Checkout python-sdk repo using PAT
    uses: actions/checkout@v4
    with:
      repository: vectara/python-sdk
      token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
      ref: main

• Added tag creation step that fetches the commit pushed by fern and force-updates the release tag:

  - name: Create/force tag and push
    run: |
      git fetch origin
      TARGET_SHA=$(git rev-parse origin/main)
      git tag -fa ${{ inputs.version }} "$TARGET_SHA" -m "Release ${{ inputs.version }}"
      git push --force origin refs/tags/${{ inputs.version }}

• Updated checkout action from v3 to v4 for consistency

Prerequisites

Requires repository secret PERSONAL_ACCESS_TOKEN with a GitHub PAT that has repo scope and write access to vectara/python-sdk. The workflow will fail until this secret is configured.

Notes

• Tag name uses workflow input ${{ inputs.version }} instead of hardcoded value
• Force-push allows re-releases by overwriting existing tags
• Assumes fern pushes to main branch

Original prompt

Update .github/workflows/python-sdk.yml to use a Personal Access Token for cross-repo pushes and to explicitly create/force-update the release tag on the python-sdk repo after pushing the commit. Rationale: the fern-api step pushed a commit to vectara/python-sdk but failed to tag due to insufficient permissions for GITHUB_TOKEN. This change uses a PAT (stored in secrets) and adds a dedicated step that fetches the target repo's main branch commit and force-updates the tag to point to that commit.

Changes to make in .github/workflows/python-sdk.yml:

1. Ensure workflow permissions allow writing contents (tags):

permissions:
contents: write

(If a permissions block already exists, update contents to write.)

2. Add a repository secret prerequisite in the PR description/instructions: the repo needs a secret PERSONAL_ACCESS_TOKEN with a PAT that has repo:public_repo or repo scope (write access) for vectara/python-sdk.

3. After the step that pushes the commit to vectara/python-sdk (the existing fern-api step), add the following steps to check out the target repo using the PAT, compute the latest commit on the branch, create/force the tag 0.4.0 to point to that commit, and push the tag.

Add these steps (insert after the existing push/commit step from fern-api):

• name: Checkout python-sdk repo using PAT
  uses: actions/checkout@v4
  with:
  repository: vectara/python-sdk
  token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
  ref: main

• name: Create/force tag 0.4.0 and push
  env:
  GIT_AUTHOR_NAME: "github-actions[bot]"
  GIT_AUTHOR_EMAIL: "github-actions[bot]@users.noreply.github.com"
  run: |
  git config user.name "$GIT_AUTHOR_NAME"
  git config user.email "$GIT_AUTHOR_EMAIL"

  Ensure we have the latest remote refs

  git fetch origin

  Use the remote main head (the commit that was just pushed by fern)

  TARGET_SHA=$(git rev-parse origin/main)
  echo "Tagging commit $TARGET_SHA"
  git tag -fa 0.4.0 "$TARGET_SHA" -m "Release 0.4.0"
  git push --force origin refs/tags/0.4.0

Notes and assumptions:

• This workflow assumes the commit pushed by the fern-api step landed on the 'main' branch of vectara/python-sdk. If the fern push targets a different branch, change ref: main and origin/main to the correct branch name.
• Using --force on the tag will rewrite the tag pointer if it already exists. Ensure the team is OK with this behavior.
• Add a repository secret named PERSONAL_ACCESS_TOKEN to vectara/vectara-docs (and ensure the PAT has write access to the vectara/python-sdk repo). The workflow will use that secret to authenticate checkout and push of the tag.

Please create a pull request with the updated .github/workflows/python-sdk.yml applying the changes above and include a clear PR description that requests adding the PERSONAL_ACCESS_TOKEN secret if it does not yet exist. If you want, I can instead modify the workflow to read the tag name from an output instead of hard-coding 0.4.0; let me know if you prefer that and whether the tag value is produced by an earlier step in the workflow.

This pull request was created as a result of the following prompt from Copilot chat.

Update .github/workflows/python-sdk.yml to use a Personal Access Token for cross-repo pushes and to explicitly create/force-update the release tag on the python-sdk repo after pushing the commit. Rationale: the fern-api step pushed a commit to vectara/python-sdk but failed to tag due to insufficient permissions for GITHUB_TOKEN. This change uses a PAT (stored in secrets) and adds a dedicated step that fetches the target repo's main branch commit and force-updates the tag to point to that commit.

Changes to make in .github/workflows/python-sdk.yml:

1. Ensure workflow permissions allow writing contents (tags):

permissions:
contents: write

(If a permissions block already exists, update contents to write.)

2. Add a repository secret prerequisite in the PR description/instructions: the repo needs a secret PERSONAL_ACCESS_TOKEN with a PAT that has repo:public_repo or repo scope (write access) for vectara/python-sdk.

3. After the step that pushes the commit to vectara/python-sdk (the existing fern-api step), add the following steps to check out the target repo using the PAT, compute the latest commit on the branch, create/force the tag 0.4.0 to point to that commit, and push the tag.

Add these steps (insert after the existing push/commit step from fern-api):

• name: Checkout python-sdk repo using PAT
  uses: actions/checkout@v4
  with:
  repository: vectara/python-sdk
  token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
  ref: main

• name: Create/force tag 0.4.0 and push
  env:
  GIT_AUTHOR_NAME: "github-actions[bot]"
  GIT_AUTHOR_EMAIL: "github-actions[bot]@users.noreply.github.com"
  run: |
  git config user.name "$GIT_AUTHOR_NAME"
  git config user.email "$GIT_AUTHOR_EMAIL"

  Ensure we have the latest remote refs

  git fetch origin

  Use the remote main head (the commit that was just pushed by fern)

  TARGET_SHA=$(git rev-parse origin/main)
  echo "Tagging commit $TARGET_SHA"
  git tag -fa 0.4.0 "$TARGET_SHA" -m "Release 0.4.0"
  git push --force origin refs/tags/0.4.0

Notes and assumptions:

• This workflow assumes the commit pushed by the fern-api step landed on the 'main' branch of vectara/python-sdk. If the fern push targets a different branch, change ref: main and origin/main to the correct branch name.
• Using --force on the tag will rewrite the tag pointer if it already exists. Ensure the team is OK with this behavior.
• Add a repository secret named PERSONAL_ACCESS_TOKEN to vectara/vectara-docs (and ensure the PAT has write access to the vectara/python-sdk repo). The workflow will use that secret to authenticate checkout and push of the tag.

Please create a pull request with the updated .github/workflows/python-sdk.yml applying the changes above and include a clear PR description that requests adding the PERSONAL_ACCESS_TOKEN secret if it does not yet exist. If you want, I can instead modify the workflow to read the tag name from an output instead of hard-coding 0.4.0; let me know if you prefer that and whether the tag value is produced by an earlier step in the workflow.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[netlify]

✅ Deploy Preview for luxury-shortbread-acee05 canceled.

Name	Link
🔨 Latest commit	735975e
🔍 Latest deploy log	https://app.netlify.com/projects/luxury-shortbread-acee05/deploys/690e286af270b40008f10fa9