From 43d4d0103a6d8617cb3659a807c6390bfe2f5ade Mon Sep 17 00:00:00 2001
From: Mukilan Thiyagarajan <mukilan@igalia.com>
Date: Mon, 28 Aug 2023 15:06:12 +0530
Subject: [PATCH] Use @servo-bot token for approving dependabot PR (#30222)

The default GITHUB_TOKEN is created for 'github-bot' user and has limitations.
Specifically, events generated by this github-bot
cannot trigger additional workflows.

This PR uses fine-grained PAT generated for @servo-bot account with the
permissions scoped to servo/servo repo and grants the
'contents: write' and 'pull_request: write' permissions.

Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
---
 .github/workflows/dependabot-pr.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/dependabot-pr.yml b/.github/workflows/dependabot-pr.yml
index e53a6b94100..cd7bf272c1c 100644
--- a/.github/workflows/dependabot-pr.yml
+++ b/.github/workflows/dependabot-pr.yml
@@ -2,8 +2,7 @@ name: Approve & merge successful dependabot patch upgrade PRs
 on: pull_request
 
 permissions:
-  contents: write
-  pull-requests: write
+  pull-requests: read
 
 jobs:
   dependabot:
@@ -13,8 +12,6 @@ jobs:
       - name: Dependabot metadata
         id: metadata
         uses: dependabot/fetch-metadata@v1
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Approve the PR & enable auto-merge
         if: ${{ steps.metadata.outputs.update-type == 'version-update:semver-patch' }}
         run: |
@@ -22,4 +19,4 @@ jobs:
           gh pr merge --auto --merge "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GH_TOKEN: ${{secrets.SERVO_DEPENDABOT_TOKEN}}