GitHub checks not running update_wpt_manifest.yml

[KyleJu]

#1441. After creation, the GitHub checks are stuck and didn't run properly. I have to close and open again to trigger the checks.

It occurs for all the PRs created by https://github.com/web-platform-tests/wpt-metadata/blob/master/.github/workflows/update_wpt_manifest.yml

[KyleJu]

Looks like it is a known issue peter-evans/create-pull-request#48

[foolip]

We can fix this by adding a token as a secret that we use only for creating the PR. Unfortunately, the user behind that token would then be the owner of the PR, instead of github-actions.

[foolip]

The effect of this is that human intervention is always required to update the manifest. It looks like this might be the cause of #3480.

@past until this is fixed, do you think we can add this to the rotation. Also cc @jcscottiii

[foolip]

Looks like the issue also affects "Resolve pending metadata" PRs, like #3457.

[jcscottiii]

There's a new workaround that we should do:

Use a machine account that creates pull requests from its own fork. This is the most secure because the PAT created only grants access to the machine account's fork, not the main repository. This method will trigger on: pull_request workflows to run. Workflows triggered on: push will not run because the push event is in the fork.

All of the affected actions are triggered by on: pull_request so it should work.

[foolip]

Yeah, that sounds like it would work!