From b98bbf73432734a2b70d542a25174123959c1a5c Mon Sep 17 00:00:00 2001
From: StyleShit <32631382+StyleShit@users.noreply.github.com>
Date: Sun, 3 May 2026 09:13:02 +0300
Subject: [PATCH] ci(sync-next): explain `ssh-key` usage [AR-57570]

---
 .github/workflows/sync-next.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/sync-next.yml b/.github/workflows/sync-next.yml
index 0b05ebe83..61f423144 100644
--- a/.github/workflows/sync-next.yml
+++ b/.github/workflows/sync-next.yml
@@ -3,9 +3,6 @@ name: Sync next branch
 on:
   workflow_dispatch:
 
-permissions:
-  contents: write
-
 jobs:
   sync:
     name: Sync
@@ -16,6 +13,10 @@ jobs:
         with:
           ref: next
           fetch-depth: 0
+
+          # We're using a deploy key here to be able to override the the branch protection rules.
+          # Force push is only allowed for admins, and the default `GITHUB_TOKEN` doesn't have admin
+          # permissions, and it can't be added to the bypass list, while a deploy key can.
           ssh-key: ${{ secrets.DEPLOY_KEY }}
 
       - name: Rebase onto main