From 195790bbe8a80284a2d1f7ba4ba947b141428867 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Wed, 29 Apr 2026 04:03:21 -0700
Subject: [PATCH] fix(worker): probe execute GitHub token

---
 .github/workflows/cluster-worker.yml | 34 ++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/cluster-worker.yml b/.github/workflows/cluster-worker.yml
index 07dad5f..9065799 100644
--- a/.github/workflows/cluster-worker.yml
+++ b/.github/workflows/cluster-worker.yml
@@ -252,6 +252,30 @@ jobs:
           permission-pull-requests: write
           permission-workflows: write
 
+      - name: Select GitHub write token
+        env:
+          CLOWNFISH_APP_GH_TOKEN: ${{ steps.app_token.outputs.token }}
+          CLOWNFISH_WORKFLOW_APP_GH_TOKEN: ${{ steps.workflow_app_token.outputs.token }}
+          CLOWNFISH_WRITE_GH_TOKEN: ${{ secrets.CLOWNFISH_GH_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          for candidate in CLOWNFISH_WRITE_GH_TOKEN CLOWNFISH_WORKFLOW_APP_GH_TOKEN CLOWNFISH_APP_GH_TOKEN GITHUB_TOKEN; do
+            token="${!candidate:-}"
+            if [ -z "$token" ]; then
+              continue
+            fi
+            if GH_TOKEN="$token" gh api "repos/${CLOWNFISH_ALLOWED_OWNER}/openclaw" --jq .full_name >/dev/null 2>/tmp/clownfish-gh-token-check.err; then
+              echo "GH_TOKEN=$token" >> "$GITHUB_ENV"
+              echo "selected $candidate for GitHub write/apply access"
+              exit 0
+            fi
+            echo "::warning::$candidate failed GitHub write/apply probe"
+            sed 's/./*/g' /tmp/clownfish-gh-token-check.err | head -n 1 || true
+          done
+          echo "no GitHub token could reach repos/${CLOWNFISH_ALLOWED_OWNER}/openclaw"
+          exit 1
+
       - uses: actions/setup-node@v5
         with:
           node-version: "24"
@@ -300,32 +324,22 @@ jobs:
       - name: Execute credited fix artifact
         if: ${{ env.CLOWNFISH_ALLOW_EXECUTE == '1' && env.CLOWNFISH_ALLOW_FIX_PR == '1' }}
         timeout-minutes: 30
-        env:
-          GH_TOKEN: ${{ secrets.CLOWNFISH_GH_TOKEN || steps.workflow_app_token.outputs.token || steps.app_token.outputs.token || github.token }}
         run: npm run execute-fix -- "${{ inputs.job }}" --latest
 
       - name: Apply safe closure actions
         if: ${{ env.CLOWNFISH_ALLOW_EXECUTE == '1' }}
-        env:
-          GH_TOKEN: ${{ secrets.CLOWNFISH_GH_TOKEN || steps.workflow_app_token.outputs.token || steps.app_token.outputs.token || github.token }}
         run: npm run apply-result -- "${{ inputs.job }}" --latest
 
       - name: Post-flight finalize fix PRs
         if: ${{ env.CLOWNFISH_ALLOW_EXECUTE == '1' && env.CLOWNFISH_ALLOW_FIX_PR == '1' }}
-        env:
-          GH_TOKEN: ${{ secrets.CLOWNFISH_GH_TOKEN || steps.workflow_app_token.outputs.token || steps.app_token.outputs.token || github.token }}
         run: npm run post-flight -- "${{ inputs.job }}" --latest
 
       - name: Apply post-flight closeouts
         if: ${{ env.CLOWNFISH_ALLOW_EXECUTE == '1' }}
-        env:
-          GH_TOKEN: ${{ secrets.CLOWNFISH_GH_TOKEN || steps.workflow_app_token.outputs.token || steps.app_token.outputs.token || github.token }}
         run: npm run apply-result -- "${{ inputs.job }}" --latest
 
       - name: Tag Clownfish targets
         if: ${{ always() && env.CLOWNFISH_ALLOW_EXECUTE == '1' }}
-        env:
-          GH_TOKEN: ${{ secrets.CLOWNFISH_GH_TOKEN || steps.workflow_app_token.outputs.token || steps.app_token.outputs.token || github.token }}
         run: npm run tag-clownfish -- .projectclownfish/runs --apply --live --open-branches false --report .projectclownfish/runs/clownfish-label-report.json
 
       - name: Upload final worker artifacts