fix: add packages:read permission, revert to GITHUB_TOKEN for npm

intel352 · claude · intel352 · commit bc11ee44e15b · 2026-03-13T05:28:47.000-04:00
The 403 was caused by missing packages:read in the workflow permissions
block, not the token type. REPO_DISPATCH_TOKEN lacks packages scope.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/sync-editor.yml b/.github/workflows/sync-editor.yml
@@ -6,6 +6,7 @@ on:
 
 permissions:
   contents: write
+  packages: read
 
 jobs:
   sync:
@@ -42,7 +43,7 @@ jobs:
           EDITOR_VERSION="${{ github.event.client_payload.version }}"
           npm install "@gocodealone/workflow-editor@${EDITOR_VERSION#v}"
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.REPO_DISPATCH_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Compute plugin version
         id: version
@@ -80,7 +81,7 @@ jobs:
           npx tsc --noEmit
           npm run build
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.REPO_DISPATCH_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Commit and tag
         run: |
