diff --git a/.github/workflows/xds-apply-updates.yml b/.github/workflows/xds-apply-updates.yml
index 88e70c63ec3..e487d972f57 100644
--- a/.github/workflows/xds-apply-updates.yml
+++ b/.github/workflows/xds-apply-updates.yml
@@ -38,6 +38,7 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v7
         with:
+          token: ${{ secrets.ARMERIAN_PAT }}
           branch: update-xds-protobuf
           base: main
           author: Meri Kim <dl_armeria@linecorp.com>
diff --git a/.github/workflows/xds-sync-apis.yml b/.github/workflows/xds-sync-apis.yml
index 09a7e9766ff..f6f0d83a9b6 100644
--- a/.github/workflows/xds-sync-apis.yml
+++ b/.github/workflows/xds-sync-apis.yml
@@ -21,3 +21,4 @@ jobs:
     uses: ./.github/workflows/xds-apply-updates.yml
     with:
       target_version: ${{ needs.envoy-versions.outputs.target_version }}
+    secrets: inherit
diff --git a/xds-api/tools/update-api.sh b/xds-api/tools/update-api.sh
index e15f9be4c53..deaefd34439 100755
--- a/xds-api/tools/update-api.sh
+++ b/xds-api/tools/update-api.sh
@@ -4,7 +4,7 @@
 
 set -o errexit
 set -o pipefail
-set -o xtrace
+#set -o xtrace
 
 __dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
diff --git a/xds-api/tools/update-sha.sh b/xds-api/tools/update-sha.sh
index c5c50f42ca4..7f2713680e6 100755
--- a/xds-api/tools/update-sha.sh
+++ b/xds-api/tools/update-sha.sh
@@ -5,7 +5,28 @@
 set -o errexit
 set -o pipefail
 set -o nounset
-set -o xtrace
+#set -o xtrace
+
+# Optional: set GITHUB_TOKEN to avoid API rate limits
+# e.g. GITHUB_TOKEN=ghp_xxx ./update-sha.sh v1.36.4
+CURL_AUTH=()
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  CURL_AUTH=(-H "Authorization: token $GITHUB_TOKEN")
+fi
+
+function github_curl() {
+  local HTTP_CODE BODY TMPFILE
+  TMPFILE=$(mktemp)
+  HTTP_CODE=$(curl -s -o "$TMPFILE" -w '%{http_code}' "${CURL_AUTH[@]+"${CURL_AUTH[@]}"}" "$@")
+  BODY=$(cat "$TMPFILE")
+  rm -f "$TMPFILE"
+  if [[ "$HTTP_CODE" -lt 200 || "$HTTP_CODE" -ge 300 ]]; then
+    echo "error: HTTP $HTTP_CODE from $*" >&2
+    echo "$BODY" >&2
+    return 1
+  fi
+  echo "$BODY"
+}
 
 function find_sha() {
   local CONTENT=$1
@@ -21,13 +42,17 @@ function find_date() {
 
 function find_envoy_sha_from_tag() {
   local TAG=$1
-  curl -s https://api.github.com/repos/envoyproxy/envoy/tags | grep "$TAG" -A 4 | grep sha | awk '{print $2}' | tr -d '"' | tr -d ","
+  github_curl https://api.github.com/repos/envoyproxy/envoy/tags | grep "$TAG" -A 4 | grep sha | awk '{print $2}' | tr -d '"' | tr -d ","
 }
 
 CURRENT_ENVOY_RELEASE=$(cat envoy_release)
 ENVOY_VERSION=$(find_envoy_sha_from_tag "$1")
+if [[ -z "$ENVOY_VERSION" ]]; then
+  echo "error: could not resolve SHA for tag '$1' (tag not found or API rate-limited)" >&2
+  exit 1
+fi
 
-CURL_OUTPUT=$(curl -s "https://raw.githubusercontent.com/envoyproxy/envoy/$ENVOY_VERSION/api/bazel/repository_locations.bzl")
+CURL_OUTPUT=$(github_curl "https://raw.githubusercontent.com/envoyproxy/envoy/$ENVOY_VERSION/api/bazel/repository_locations.bzl")
 
 GOOGLEAPIS_SHA=$(find_sha "$CURL_OUTPUT" com_google_googleapis)
 GOOGLEAPIS_DATE=$(find_date "$CURL_OUTPUT" com_google_googleapis)