From f7cb8be88a1283a99e92d061b8010500dce0b5f0 Mon Sep 17 00:00:00 2001
From: Genie Automagik <genie@namastex.ai>
Date: Sun, 31 May 2026 22:20:09 +0000
Subject: [PATCH] fix: use built-in token for rolling PR workflow

---
 .github/workflows/rolling-pr.yml | 25 +++++++++++++++++--------
 docs/release-contract.md         |  4 +++-
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/rolling-pr.yml b/.github/workflows/rolling-pr.yml
index 4a04d87..bd41717 100644
--- a/.github/workflows/rolling-pr.yml
+++ b/.github/workflows/rolling-pr.yml
@@ -20,12 +20,24 @@ jobs:
     steps:
       - name: Check/Create Rolling PR
         env:
-          GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }}
+          # Use the built-in workflow token. A stale custom token should not make
+          # the release-boundary helper fail with 401 on scheduled runs.
+          GH_TOKEN: ${{ github.token }}
         run: |
-          PR=$(gh pr list --repo ${{ github.repository }} --base main --head dev --state open --json number --jq '.[0].number')
+          set -euo pipefail
 
-          if [ -z "$PR" ]; then
-            gh pr create --repo ${{ github.repository }} \
+          PR=$(gh pr list --repo ${{ github.repository }} --base main --head dev --state open --json number --jq '.[0].number // ""')
+          if [ -n "$PR" ]; then
+            echo "Rolling PR #$PR exists and is up to date"
+            exit 0
+          fi
+
+          if [ "$(gh api repos/${{ github.repository }}/compare/main...dev --jq '.ahead_by')" = "0" ]; then
+            echo "dev has no commits ahead of main; no rolling PR needed"
+            exit 0
+          fi
+
+          gh pr create --repo ${{ github.repository }} \
               --base main --head dev \
               --title "chore: rolling promotion dev -> main" \
               --body "$(cat <<'BODY'
@@ -49,7 +61,4 @@ jobs:
           > Human approval required for merge to production.
           BODY
           )"
-            echo "Created new rolling PR"
-          else
-            echo "Rolling PR #$PR exists and is up to date"
-          fi
+          echo "Created new rolling PR"
diff --git a/docs/release-contract.md b/docs/release-contract.md
index 616cfee..15987cc 100644
--- a/docs/release-contract.md
+++ b/docs/release-contract.md
@@ -31,7 +31,9 @@ The npm package is SDK-only:
 
 ## Main release boundary
 
-`main` is the canonical release branch.
+`main` is the canonical release branch and the expected branch for long-lived production checkouts such as `/home/genie/prod/rlmx`.
+
+Use short-lived `drogo/<topic>` branches for focused source changes, then return the production checkout to `main` after merge/dogfood. Do not keep a long-lived `drogo/prod-rlmx` branch as the install/update authority.
 
 A release happens when a PR merges from `dev` to `main`: