From 99cf280089816f6b11b94309ab096b31c3d84aaa Mon Sep 17 00:00:00 2001
From: Robert DeLanghe <1240090+bdelanghe@users.noreply.github.com>
Date: Sun, 28 Jun 2026 23:48:56 -0400
Subject: [PATCH] fix: persist-credentials:false so the board pushes as the app
 token

The board push ran as github-actions[bot] (403) because checkout persisted the
default GITHUB_TOKEN as a git http auth header, overriding the app-token URL the
synoptic container sets. Disable credential persistence so the entrypoint's
minted-token push is the one used.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/fleet-status.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/fleet-status.yml b/.github/workflows/fleet-status.yml
index e04c091..7350e95 100644
--- a/.github/workflows/fleet-status.yml
+++ b/.github/workflows/fleet-status.yml
@@ -26,7 +26,13 @@ jobs:
   status:
     runs-on: ubuntu-latest
     steps:
+      # persist-credentials:false so checkout does NOT install the default
+      # GITHUB_TOKEN as a git auth header — otherwise it overrides the app-token
+      # URL the synoptic container sets, and the board push runs as the read-only
+      # github-actions[bot] (403). With it off, the push uses the minted app token.
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
       - name: Mint a fleet token via the OIDC broker
         id: app-token