open-telemetry
diff --git a/‎.github/workflows/build-explorer-database.yml‎
Lines changed: 24 additions & 14 deletions b/‎.github/workflows/build-explorer-database.yml‎
Lines changed: 24 additions & 14 deletions
diff --git a/‎.github/workflows/nightly-registry-update.yml‎
Lines changed: 24 additions & 14 deletions b/‎.github/workflows/nightly-registry-update.yml‎
Lines changed: 24 additions & 14 deletions
@@ -39,14 +39,6 @@ jobs:
       pull-requests: write # Create or update the automated database-update PR
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          # Persisted credentials are required so the later `git push -f origin
-          # HEAD:${BRANCH}` step can authenticate.
-          persist-credentials: true
-
       - name: Detect repository type (if on a fork we use different git config)
         id: repo_check
         env:
@@ -58,19 +50,37 @@ jobs:
             echo "is_primary=false" >> $GITHUB_OUTPUT
           fi
 
-      - name: Configure git (primary repository)
-        if: steps.repo_check.outputs.is_primary == 'true'
-        run: |
-          .github/scripts/use-cla-approved-bot.sh
-
+      # Mint the otelbot App token BEFORE checkout so it can be persisted as the
+      # git credential. Pushes authenticated with the App token trigger
+      # downstream workflows (e.g. CodeQL on the PR); pushes authenticated with
+      # the default GITHUB_TOKEN do not, which previously left automated-update
+      # PRs blocked waiting for code-scanning results after a branch update.
       - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         if: steps.repo_check.outputs.is_primary == 'true'
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
           private-key: ${{ secrets.OTELBOT_PRIVATE_KEY }}
           repositories: ${{ github.event.repository.name }}
-          permission-pull-requests: write
+          permission-contents: write # Push the generated database to the update branch
+          permission-pull-requests: write # Create or update the automated PR
+
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          # On the primary repo, persist the otelbot App token so the later
+          # `git push -f origin HEAD:${BRANCH}` authenticates as the App and
+          # triggers downstream workflows. Forks have no App secret and fall
+          # back to GITHUB_TOKEN.
+          token:
+            ${{ steps.repo_check.outputs.is_primary == 'true' && steps.otelbot-token.outputs.token
+            || secrets.GITHUB_TOKEN }}
+          persist-credentials: true
+
+      - name: Configure git (primary repository)
+        if: steps.repo_check.outputs.is_primary == 'true'
+        run: |
+          .github/scripts/use-cla-approved-bot.sh
 
       - name: Configure git (fork)
         if: steps.repo_check.outputs.is_primary == 'false'
 
@@ -32,14 +32,6 @@ jobs:
       dotnet_result: ${{ steps.dotnet_instrumentation_watcher.outcome }}
       configuration_result: ${{ steps.configuration_watcher.outcome }}
     steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          # Persisted credentials are required so the later `git push -f origin
-          # HEAD:${BRANCH}` step can authenticate.
-          persist-credentials: true
-
       - name: Detect repository type (if on a fork we use different git config)
         id: repo_check
         env:
@@ -51,19 +43,37 @@ jobs:
             echo "is_primary=false" >> $GITHUB_OUTPUT
           fi
 
-      - name: Configure git (primary repository)
-        if: steps.repo_check.outputs.is_primary == 'true'
-        run: |
-          .github/scripts/use-cla-approved-bot.sh
-
+      # Mint the otelbot App token BEFORE checkout so it can be persisted as the
+      # git credential. Pushes authenticated with the App token trigger
+      # downstream workflows (e.g. CodeQL on the PR); pushes authenticated with
+      # the default GITHUB_TOKEN do not, which previously left automated-update
+      # PRs blocked waiting for code-scanning results after a branch update.
       - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         if: steps.repo_check.outputs.is_primary == 'true'
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
           private-key: ${{ secrets.OTELBOT_PRIVATE_KEY }}
           repositories: ${{ github.event.repository.name }}
-          permission-pull-requests: write
+          permission-contents: write # Push registry updates to the update branch
+          permission-pull-requests: write # Create or update the automated PR
+
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          # On the primary repo, persist the otelbot App token so the later
+          # `git push -f origin HEAD:${BRANCH}` authenticates as the App and
+          # triggers downstream workflows. Forks have no App secret and fall
+          # back to GITHUB_TOKEN.
+          token:
+            ${{ steps.repo_check.outputs.is_primary == 'true' && steps.otelbot-token.outputs.token
+            || secrets.GITHUB_TOKEN }}
+          persist-credentials: true
+
+      - name: Configure git (primary repository)
+        if: steps.repo_check.outputs.is_primary == 'true'
+        run: |
+          .github/scripts/use-cla-approved-bot.sh
 
       - name: Configure git (forked repository)
         if: steps.repo_check.outputs.is_primary == 'false'