Use @servo-bot token for approving dependabot PR (#30222)

The default GITHUB_TOKEN is created for 'github-bot' user and has limitations. Specifically, events generated by this github-bot cannot trigger additional workflows. This PR uses fine-grained PAT generated for @servo-bot account with the permissions scoped to servo/servo repo and grants the 'contents: write' and 'pull_request: write' permissions. Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
2025-08-06 06:00:15 +01:00 · 2023-08-28 15:06:12 +05:30 · 2023-08-28 15:06:12 +05:30 · 43d4d0103a
commit 43d4d0103a
parent 528d6dfc98
1 changed files with 2 additions and 5 deletions
--- a/.github/workflows/dependabot-pr.yml
+++ b/.github/workflows/dependabot-pr.yml
@ -2,8 +2,7 @@ name: Approve & merge successful dependabot patch upgrade PRs
 on: pull_request

 permissions:
-  contents: write
-  pull-requests: write
+  pull-requests: read

 jobs:
  dependabot:
@ -13,8 +12,6 @@ jobs:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Approve the PR & enable auto-merge
        if: ${{ steps.metadata.outputs.update-type == 'version-update:semver-patch' }}
        run: |
@ -22,4 +19,4 @@ jobs:
          gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GH_TOKEN: ${{secrets.SERVO_DEPENDABOT_TOKEN}}