ci: use GITHUB_TOKEN to create hotfix candidate PR

[alandtse]

Run 25715374303 failed at Open PR against hotfix branch with:

pull request create failed: GraphQL: Resource not accessible by personal access token (createPullRequest)

The step was using RELEASE_PAT, which apparently lacks pull_requests: write on this repo. Rather than expand the PAT's scope, switch this single step to GITHUB_TOKEN — the workflow already declares:

permissions:
    contents: write
    pull-requests: write

so GITHUB_TOKEN has exactly the scope needed for gh pr create.

RELEASE_PAT is intentionally left in place on the two steps that genuinely need it:

• Push maintenance branch (if new) and staging branch — needs to bypass branch protection on hotfix/X.Y.x, which GITHUB_TOKEN cannot do.
• Close superseded staging PRs and branches — succeeded in run 25715374303 with the PAT, so leaving it untouched.

Minimal change, scoped to the failing step.

Summary by CodeRabbit

• Chores
  • Improved hotfix release workflow reliability by updating token configuration and documentation. This prevents workflow failures related to authentication permissions during the PR creation step.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 256df40b-6b37-4872-8a35-370c47011930

📥 Commits

Reviewing files that changed from the base of the PR and between 9a3e7b5 and 615c798.

📒 Files selected for processing (1)

• .github/workflows/release-hotfix.yaml

---

📝 Walkthrough

Walkthrough

The release-hotfix workflow's PR-creation step transitions from using a personal access token (RELEASE_PAT) to the default GitHub Actions token (GITHUB_TOKEN) for authentication. The change includes documentation explaining that the workflow's declared pull-requests: write permission provides sufficient scope for PR operations.

Changes

GitHub Token Authentication in Hotfix Workflow

Layer / File(s)	Summary
Switch to GITHUB_TOKEN for PR creation .github/workflows/release-hotfix.yaml	The "Open PR against hotfix branch" step now uses secrets.GITHUB_TOKEN for GH_TOKEN instead of secrets.RELEASE_PAT, with inline comments documenting that the workflow's declared pull-requests: write permission suffices for PR creation, preventing resource-access failures.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related PRs

• community-shaders/skyrim-community-shaders#2252: Both PRs modify GitHub Actions workflows' use of GH_TOKEN/GITHUB_TOKEN across release and upload workflows.
• community-shaders/skyrim-community-shaders#2307: Both PRs modify the same release-hotfix workflow and touch authenticated Git operations.
• community-shaders/skyrim-community-shaders#2324: Both PRs modify the release-hotfix workflow's hotfix PR-creation step.

Suggested reviewers

• jiayev
• doodlum

Poem

🐰 A token swapped, a secret blessed,
GITHUB_TOKEN passes the test,
No PAT required, permissions align,
The workflow's hotfix will surely shine! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: switching from RELEASE_PAT to GITHUB_TOKEN for PR creation in the hotfix workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 actionlint (1.7.12)

.github/workflows/release-hotfix.yaml

could not read ".github/workflows/release-hotfix.yaml": open .github/workflows/release-hotfix.yaml: no such file or directory

🔧 YAMLlint (1.38.0)

.github/workflows/release-hotfix.yaml

[Errno 2] No such file or directory: '.github/workflows/release-hotfix.yaml'

🔧 Checkov (3.2.528)

.github/workflows/release-hotfix.yaml

2026-05-12 05:34:30,934 [MainThread ] [ERROR] Template file not found: .github/workflows/release-hotfix.yaml
2026-05-12 05:34:30,938 [MainThread ] [ERROR] Template file not found: .github/workflows/release-hotfix.yaml
2026-05-12 05:34:30,949 [MainThread ] [ERROR] Template file not found: .github/workflows/release-hotfix.yaml
2026-05-12 05:34:30,954 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with .github/workflows/release-hotfix.yaml
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)

... [truncated 9216 characters] ...

process file .github/workflows/release-hotfix.yaml
2026-05-12 05:34:30,997 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: '.github/workflows/release-hotfix.yaml'

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}