ci: pass MODELS_PAT to ai-inference instead of GITHUB_TOKEN

The auto-injected GITHUB_TOKEN returns 403 (no body) from the GitHub
Models API on orgs that don't have Models enabled at the org level
(yao-pkg is on the free plan; the toggle isn't available). A
fine-grained PAT scoped only to account-level 'Models: Read'
authenticates as the user and works regardless of org policy.

See actions/ai-inference#155 for the same
symptom and fix. The new MODELS_PAT secret has the minimum possible
permission and no third-party trust — fundamentally different from
the OpenAI key it replaces.

Author: robertsLando

.github/workflows/patch-node.yml

@@ -94,6 +94,12 @@ jobs:
           # CoT tokens. 1M input / 32K output / "high" rate-limit tier.
           model: openai/gpt-4.1
           max-completion-tokens: 16000
+          # The auto-injected GITHUB_TOKEN cannot access GitHub Models on
+          # orgs that don't have Models enabled at the org/enterprise level
+          # (returns 403 with no body). A fine-grained PAT scoped only to
+          # account-level "Models: Read" works regardless of org policy.
+          # See: https://github.com/actions/ai-inference/issues/155
+          token: ${{ secrets.MODELS_PAT }}
 
       - name: Apply AI resolutions
         if: steps.apply.outputs.needs_ai == 'true'