debugging (#8882)

Co-authored-by: gemini-cli-robot <gemini-cli-robot@google.com>

.github/workflows/release-patch-1-create-pr.yml

@@ -36,6 +36,7 @@ jobs:
       contents: 'write'
       pull-requests: 'write'
       actions: 'write'
+      workflows: 'write'
     steps:
       - name: 'Checkout'
         uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
@@ -52,14 +53,6 @@ jobs:
       - name: 'Install Script Dependencies'
         run: 'npm install yargs'
 
-      - name: 'Generate GitHub App Token'
-        id: 'generate_token'
-        uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b'
-        with:
-          app-id: '${{ secrets.APP_ID }}'
-          private-key: '${{ secrets.PRIVATE_KEY }}'
-          permission-pull-requests: 'write'
-          permission-contents: 'write'
 
       - name: 'Configure Git User'
         run: |-
@@ -72,7 +65,7 @@ jobs:
         id: 'create_patch'
         env:
           GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
-          GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
         continue-on-error: true
         run: |
           # Capture output and display it in logs using tee

scripts/releasing/create-patch-pr.js

@@ -98,6 +98,14 @@ async function main() {
     // Workaround for workflow permission issues: create branch from HEAD then reset to tag
     run(`git checkout -b ${releaseBranch}`, dryRun);
     run(`git reset --hard ${latestTag}`, dryRun);
+
+    // Ensure we're using GITHUB_TOKEN (with actions:write) for pushing workflow files
+    const githubToken = process.env.GITHUB_TOKEN;
+    const repo = process.env.GITHUB_REPOSITORY || 'google-gemini/gemini-cli';
+    if (githubToken) {
+      run(`git remote set-url origin https://x-access-token:${githubToken}@github.com/${repo}.git`, dryRun);
+    }
+
     run(`git push origin ${releaseBranch}`, dryRun);
   } else {
     console.log(`Release branch ${releaseBranch} already exists.`);