From 7179f9e2141778055dc18843c391a4d1eeea618a Mon Sep 17 00:00:00 2001
From: Josh <josh.t.richards@gmail.com>
Date: Sun, 5 Apr 2026 22:43:14 -0400
Subject: [PATCH 1/2] ci(update-3rdparty): add permission check and fix broken
 push

- Add missing check-actor-permission gate (require: write)
- Add git remote set-url before push to provide credentials
  (persist-credentials: false meant git push had no auth)
- Move ${{ }} interpolations in run: blocks to env: variables

Signed-off-by: Josh <josh.t.richards@gmail.com>
---
 .github/workflows/command-pull-3rdparty.yml | 26 +++++++++++++--------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/command-pull-3rdparty.yml b/.github/workflows/command-pull-3rdparty.yml
index 97ea974ea1a19..36db751b8fe87 100644
--- a/.github/workflows/command-pull-3rdparty.yml
+++ b/.github/workflows/command-pull-3rdparty.yml
@@ -20,6 +20,11 @@ jobs:
     if: github.event.issue.pull_request != '' && startsWith(github.event.comment.body, '/update-3rdparty')
 
     steps:
+      - name: Check actor permission
+        uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v2
+        with:
+          require: write
+
       - name: Add reaction on start
         uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v3.0.1
         with:
@@ -28,9 +33,6 @@ jobs:
           comment-id: ${{ github.event.comment.id }}
           reactions: '+1'
 
-      # issue_comment events carry no pull_request context in their payload, so we
-      # must fetch the PR via the API. This also gives us base.ref for free, avoiding
-      # a second API call. The GITHUB_TOKEN needs pull-requests:read (granted above).
       - name: Get pull request metadata
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         id: get-pr
@@ -64,14 +66,15 @@ jobs:
           ref: ${{ steps.comment-branch.outputs.head_ref }}
 
       - name: Register server reference to fallback to master branch
+        env:
+          BASE_REF: ${{ steps.get-pr.outputs.base_ref }}
         run: |
-          base_ref="${{ steps.get-pr.outputs.base_ref }}"
-          if [[ "$base_ref" == "main" || "$base_ref" == "master" ]]; then
+          if [[ "$BASE_REF" == "main" || "$BASE_REF" == "master" ]]; then
             echo "server_ref=master" >> "$GITHUB_ENV"
             echo "Setting server_ref to master"
-          elif [[ "$base_ref" =~ ^stable[0-9]+$ ]]; then
-            echo "server_ref=$base_ref" >> "$GITHUB_ENV"
-            echo "Setting server_ref to $base_ref"
+          elif [[ "$BASE_REF" =~ ^stable[0-9]+$ ]]; then
+            echo "server_ref=$BASE_REF" >> "$GITHUB_ENV"
+            echo "Setting server_ref to $BASE_REF"
           else
             echo "Not based on master/main/stable*, so skipping pull 3rdparty command"
           fi
@@ -92,13 +95,16 @@ jobs:
 
       - name: Pull 3rdparty
         if: ${{ env.server_ref != '' }}
-        run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin '"'"'${{ env.server_ref }}'"'"'; fi'
+        run: git submodule foreach 'if [ "$sm_path" == "3rdparty" ]; then git pull origin "'"$server_ref"'"; fi'
 
       - name: Commit and push changes
         if: ${{ env.server_ref != '' }}
+        env:
+          BOT_TOKEN: ${{ secrets.COMMAND_BOT_PAT }}
         run: |
+          git remote set-url origin "https://x-access-token:${BOT_TOKEN}@github.com/${{ github.repository }}.git"
           git add 3rdparty
-          git commit -s -m 'Update submodule 3rdparty to latest ${{ env.server_ref }}'
+          git commit -s -m "Update submodule 3rdparty to latest ${server_ref}"
           git push
 
       - name: Add reaction on failure

From 780e3f94ef671399c65ff53c0e81737b9ee7c6dc Mon Sep 17 00:00:00 2001
From: Josh <josh.t.richards@gmail.com>
Date: Sun, 5 Apr 2026 22:53:09 -0400
Subject: [PATCH 2/2] chore: re-add accidentally dropped comments

Signed-off-by: Josh <josh.t.richards@gmail.com>
---
 .github/workflows/command-pull-3rdparty.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/command-pull-3rdparty.yml b/.github/workflows/command-pull-3rdparty.yml
index 36db751b8fe87..52e63608b13ca 100644
--- a/.github/workflows/command-pull-3rdparty.yml
+++ b/.github/workflows/command-pull-3rdparty.yml
@@ -33,6 +33,9 @@ jobs:
           comment-id: ${{ github.event.comment.id }}
           reactions: '+1'
 
+      # issue_comment events carry no pull_request context in their payload, so we
+      # must fetch the PR via the API. This also gives us base.ref for free, avoiding
+      # a second API call. The GITHUB_TOKEN needs pull-requests:read (granted above).
       - name: Get pull request metadata
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         id: get-pr