From 2c8fe7d27c81429a52ec5ba74f3ea8ab532df158 Mon Sep 17 00:00:00 2001 From: Martin Pokorny Date: Mon, 11 May 2026 23:41:19 +0200 Subject: [PATCH] ci:use-repo-admin-token-for-dependabot --- .github/workflows/reusable-dependabot-auto-merge.yml | 10 +++++++--- .github/workflows/reusable-dependabot-refresh.yml | 12 ++++++++---- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/.github/workflows/reusable-dependabot-auto-merge.yml b/.github/workflows/reusable-dependabot-auto-merge.yml index 36335bd..b783666 100644 --- a/.github/workflows/reusable-dependabot-auto-merge.yml +++ b/.github/workflows/reusable-dependabot-auto-merge.yml @@ -45,6 +45,10 @@ on: required: false default: true type: boolean + secrets: + REPO_ADMIN_TOKEN: + description: "PAT with repo access (recommended). Ensures branch updates trigger downstream workflows; falls back to GITHUB_TOKEN if unset." + required: false permissions: {} @@ -72,7 +76,7 @@ jobs: env: PR_URL: ${{ inputs.pr_url }} GH_REPO: ${{ github.repository }} - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.REPO_ADMIN_TOKEN != '' && secrets.REPO_ADMIN_TOKEN || github.token }} run: | set -euo pipefail gh pr update-branch --repo "$GH_REPO" --rebase "$PR_URL" || true @@ -83,7 +87,7 @@ jobs: env: PR_URL: ${{ inputs.pr_url }} GH_REPO: ${{ github.repository }} - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.REPO_ADMIN_TOKEN != '' && secrets.REPO_ADMIN_TOKEN || github.token }} run: | set -euo pipefail gh pr review --repo "$GH_REPO" --approve "$PR_URL" --body "Auto-approved Dependabot PR." || true @@ -93,7 +97,7 @@ jobs: env: PR_URL: ${{ inputs.pr_url }} GH_REPO: ${{ github.repository }} - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.REPO_ADMIN_TOKEN != '' && secrets.REPO_ADMIN_TOKEN || github.token }} run: | set -euo pipefail method="${{ inputs.merge_method }}" diff --git a/.github/workflows/reusable-dependabot-refresh.yml b/.github/workflows/reusable-dependabot-refresh.yml index ae3dcaa..7c8cfff 100644 --- a/.github/workflows/reusable-dependabot-refresh.yml +++ b/.github/workflows/reusable-dependabot-refresh.yml @@ -55,6 +55,10 @@ on: required: false default: true type: boolean + secrets: + REPO_ADMIN_TOKEN: + description: "PAT with repo access (recommended). Ensures branch updates trigger downstream workflows; falls back to GITHUB_TOKEN if unset." + required: false permissions: {} @@ -75,7 +79,7 @@ jobs: id: list shell: bash env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.REPO_ADMIN_TOKEN != '' && secrets.REPO_ADMIN_TOKEN || github.token }} GH_REPO: ${{ github.repository }} BASE_BRANCH: ${{ inputs.base_branch }} run: | @@ -105,7 +109,7 @@ jobs: if: steps.list.outputs.count != '0' && inputs.update_branch shell: bash env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.REPO_ADMIN_TOKEN != '' && secrets.REPO_ADMIN_TOKEN || github.token }} GH_REPO: ${{ github.repository }} run: | set -euo pipefail @@ -118,7 +122,7 @@ jobs: if: steps.list.outputs.count != '0' && inputs.approve_prs shell: bash env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.REPO_ADMIN_TOKEN != '' && secrets.REPO_ADMIN_TOKEN || github.token }} GH_REPO: ${{ github.repository }} run: | set -euo pipefail @@ -131,7 +135,7 @@ jobs: if: steps.list.outputs.count != '0' && inputs.enable_auto_merge shell: bash env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.REPO_ADMIN_TOKEN != '' && secrets.REPO_ADMIN_TOKEN || github.token }} GH_REPO: ${{ github.repository }} MERGE_METHOD: ${{ inputs.merge_method }} run: |