From 01af1992af7bee7705849c1ac6e844adce5ec583 Mon Sep 17 00:00:00 2001
From: seth <getchoo@tuta.io>
Date: Fri, 9 Feb 2024 01:14:45 -0500
Subject: actions: use scoped github.token

---
 .github/workflows/autobot.yaml        |  3 ++-
 .github/workflows/update-inputs.yaml  |  6 ++++--
 .github/workflows/update-lock.yaml    | 13 +++++++------
 .github/workflows/update-nixpkgs.yaml |  6 ++++--
 4 files changed, 17 insertions(+), 11 deletions(-)

(limited to '.github/workflows')

diff --git a/.github/workflows/autobot.yaml b/.github/workflows/autobot.yaml
index fa33623..7715185 100644
--- a/.github/workflows/autobot.yaml
+++ b/.github/workflows/autobot.yaml
@@ -4,6 +4,7 @@ on: pull_request
 
 jobs:
   automerge:
+    name: Check and auto-merge
     runs-on: ubuntu-latest
 
     permissions:
@@ -21,5 +22,5 @@ jobs:
         if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
         run: gh pr merge --auto --rebase "$PR"
         env:
+          GH_TOKEN: ${{ github.token }}
           PR: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/update-inputs.yaml b/.github/workflows/update-inputs.yaml
index 745e60b..9e08a76 100644
--- a/.github/workflows/update-inputs.yaml
+++ b/.github/workflows/update-inputs.yaml
@@ -8,8 +8,10 @@ on:
 
 jobs:
   update:
+    permissions:
+      contents: write
+      pull-requests: write
+
     uses: ./.github/workflows/update-lock.yaml
     with:
       commit-msg: "flake: update all inputs"
-    secrets:
-      token: ${{ secrets.MERGE_TOKEN }}
diff --git a/.github/workflows/update-lock.yaml b/.github/workflows/update-lock.yaml
index 1f2063c..36971d5 100644
--- a/.github/workflows/update-lock.yaml
+++ b/.github/workflows/update-lock.yaml
@@ -12,15 +12,16 @@ on:
         required: false
         default: ""
         type: string
-    secrets:
-      token:
-        description: PAT for creating creating/merging the PR
-        required: true
 
 jobs:
   update:
+    name: Update & make PR
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      pull-requests: write
+
     steps:
       - uses: actions/checkout@v4
 
@@ -34,11 +35,11 @@ jobs:
           commit-msg: ${{ inputs.commit-msg }}
           inputs: ${{ inputs.inputs }}
           pr-title: ${{ inputs.commit-msg }}
-          token: ${{ secrets.token }}
+          token: ${{ github.token }}
 
       - name: Enable auto-merge
         shell: bash
         run: gh pr merge --auto --rebase "$PR_ID"
         env:
-          GITHUB_TOKEN: ${{ secrets.token }}
+          GH_TOKEN: ${{ github.token }}
           PR_ID: ${{ steps.update.outputs.pull-request-number }}
diff --git a/.github/workflows/update-nixpkgs.yaml b/.github/workflows/update-nixpkgs.yaml
index 57726ec..2fd0ec5 100644
--- a/.github/workflows/update-nixpkgs.yaml
+++ b/.github/workflows/update-nixpkgs.yaml
@@ -8,9 +8,11 @@ on:
 
 jobs:
   update:
+    permissions:
+      contents: write
+      pull-requests: write
+
     uses: ./.github/workflows/update-lock.yaml
     with:
       commit-msg: "flake: update nixpkgs"
       inputs: "nixpkgs nixpkgs-stable"
-    secrets:
-      token: ${{ secrets.MERGE_TOKEN }}
-- 
cgit v1.2.3