[build] fix update-documentation workflow

[titusfortner]

User description

This should allow the stage-release workflow to automatically create the documentation PR which is really difficult to do locally so I hope this works.

---

PR Type

Bug fix

---

Description

• Add missing GITHUB_TOKEN secret to stage-release workflow

• Update update-documentation workflow to require GITHUB_TOKEN

• Fix documentation PR creation in automated release process

---

Diagram Walkthrough

flowchart LR
  A["stage-release.yml"] -->|"passes GITHUB_TOKEN"| B["update-documentation.yml"]
  B -->|"requires GITHUB_TOKEN"| C["Documentation PR Creation"]

Loading

File Walkthrough

Relevant files

Configuration changes

stage-release.yml Add GITHUB_TOKEN secret to workflow call                                  .github/workflows/stage-release.yml Add GITHUB_TOKEN secret to update-documentation job invocation Pass GITHUB_TOKEN from secrets to the reusable workflow +1/-0      update-documentation.yml Mark GITHUB_TOKEN as required secret                                          .github/workflows/update-documentation.yml Mark GITHUB_TOKEN as required secret in workflow inputs Enable documentation PR creation with proper authentication +2/-1

---

[qodo-merge-pro]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided - [ ] Create ticket/issue <!-- /create_ticket --create_ticket=true --> </details></td></tr>
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
⚪	No custom compliance provided Follow the guide to enable custom compliance check.

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Scope the GitHub token properly To improve security, avoid setting GITHUB_TOKEN as a workflow-level environment variable. Instead, pass the secret directly to the specific job that requires it. .github/workflows/update-documentation.yml [45-46] -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# This 'env' block should be removed from the workflow level. +# The secret should be passed to the relevant job(s) instead. +# For example, in the job that needs the token: +# +# jobs: +# your-job-name: +# secrets: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# steps: +# - name: Step that uses the token +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# run: | +# # script that needs GITHUB_TOKEN Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly points out a security best practice to limit the scope of secrets, which the PR's current implementation violates by setting the GITHUB_TOKEN at the workflow level.	Medium
Learned best practice	Avoid reserved secret name shadowing Avoid redefining the reserved GITHUB_TOKEN input; rename the secret input to a workflow-specific name and map it to GITHUB_TOKEN in env to prevent confusion and collisions. .github/workflows/update-documentation.yml [40-46] secrets: SELENIUM_CI_TOKEN: required: true - GITHUB_TOKEN: + DOCS_GH_TOKEN: required: true env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.DOCS_GH_TOKEN }} Apply / Chat Suggestion importance[1-10]: 6 __ Why: Relevant best practice - Use correct packaging/version spec syntax and explicit bounds when declaring required inputs/secrets; avoid shadowing/reserving names like GITHUB_TOKEN and document exact requirements.	Low
More