From fb4c58c3134dd16a48717371a749b49ce6ca0eca Mon Sep 17 00:00:00 2001
From: seth <getchoo@tuta.io>
Date: Fri, 13 Oct 2023 11:23:07 -0400
Subject: actions: use GH_TOKEN for gh & scope permissions to jobs

---
 .github/workflows/autobot.yaml     | 12 +++++++-----
 .github/workflows/update-lock.yaml | 10 +++++-----
 .github/workflows/upload.yaml      |  6 +++---
 3 files changed, 15 insertions(+), 13 deletions(-)

(limited to '.github/workflows')

diff --git a/.github/workflows/autobot.yaml b/.github/workflows/autobot.yaml
index 9dc8df3..792158a 100644
--- a/.github/workflows/autobot.yaml
+++ b/.github/workflows/autobot.yaml
@@ -2,14 +2,16 @@ name: auto-merge dependabot
 
 on: pull_request
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   automerge:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      pull-requests: write
+
     if: github.actor == 'dependabot[bot]'
+
     steps:
       - uses: dependabot/fetch-metadata@v1
         id: metadata
@@ -21,4 +23,4 @@ jobs:
         run: gh pr merge --auto --rebase "$PR"
         env:
           PR: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ secrets.MERGE_TOKEN }}
+          GH_TOKEN: ${{ secrets.MERGE_TOKEN }}
diff --git a/.github/workflows/update-lock.yaml b/.github/workflows/update-lock.yaml
index 9e3301d..6603616 100644
--- a/.github/workflows/update-lock.yaml
+++ b/.github/workflows/update-lock.yaml
@@ -6,14 +6,14 @@ on:
     - cron: "0 0 * * 6"
   workflow_dispatch:
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   update:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      pull-requests: write
+
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main
@@ -30,5 +30,5 @@ jobs:
         shell: bash
         run: gh pr merge --auto --rebase "$PR_ID"
         env:
-          GITHUB_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ github.token }}
           PR_ID: ${{ steps.update.outputs.pull-request-number }}
diff --git a/.github/workflows/upload.yaml b/.github/workflows/upload.yaml
index 93888d7..26f366a 100644
--- a/.github/workflows/upload.yaml
+++ b/.github/workflows/upload.yaml
@@ -8,13 +8,13 @@ on:
       - main
   workflow_dispatch:
 
-permissions:
-  packages: write
-
 jobs:
   upload:
     runs-on: ubuntu-latest
 
+    permissions:
+      packages: write
+
     env:
       REGISTRY: ghcr.io
       USERNAME: getchoo
-- 
cgit v1.2.3