From b34647127c9b78d5902afdc71e19f4dc203fb5de Mon Sep 17 00:00:00 2001
From: Stephanie Anderson <stephanie.anderson@sentry.io>
Date: Wed, 25 Mar 2026 19:13:55 +0100
Subject: [PATCH 1/2] fix(ci): Use GitHub App token for draft PR enforcement

The default GITHUB_TOKEN lacks permission for the GraphQL
convertPullRequestToDraft mutation ("Resource not accessible by
integration"). Switch to the SDK Maintainer Bot GitHub App token
which has the required pull-requests write scope.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/enforce-draft-pr.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/enforce-draft-pr.yml b/.github/workflows/enforce-draft-pr.yml
index 6a5da12272..2c73032c72 100644
--- a/.github/workflows/enforce-draft-pr.yml
+++ b/.github/workflows/enforce-draft-pr.yml
@@ -4,18 +4,23 @@ on:
   pull_request_target:
     types: [opened, reopened]
 
-permissions:
-  pull-requests: write
-
 jobs:
   enforce-draft:
     name: Enforce Draft PR
     runs-on: ubuntu-24.04
     if: github.event.pull_request.draft == false
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.SDK_MAINTAINER_BOT_APP_ID }}
+          private-key: ${{ secrets.SDK_MAINTAINER_BOT_PRIVATE_KEY }}
+
       - name: Convert PR to draft
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
         with:
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const pullRequest = context.payload.pull_request;
             const repo = context.repo;

From 027443013ba9335b369a1883764bda2d8069ba44 Mon Sep 17 00:00:00 2001
From: Stephanie Anderson <stephanie.anderson@sentry.io>
Date: Wed, 25 Mar 2026 19:18:27 +0100
Subject: [PATCH 2/2] fix: Apply suggestions from code review

Co-authored-by: sentry-warden[bot] <258096371+sentry-warden[bot]@users.noreply.github.com>
---
 .github/workflows/enforce-draft-pr.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/enforce-draft-pr.yml b/.github/workflows/enforce-draft-pr.yml
index 2c73032c72..623fa84207 100644
--- a/.github/workflows/enforce-draft-pr.yml
+++ b/.github/workflows/enforce-draft-pr.yml
@@ -12,7 +12,7 @@ jobs:
     steps:
       - name: Generate GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859  # v2
         with:
           app-id: ${{ vars.SDK_MAINTAINER_BOT_APP_ID }}
           private-key: ${{ secrets.SDK_MAINTAINER_BOT_PRIVATE_KEY }}