diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 8c9d1bf3569..12f59925618 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -33,12 +33,13 @@ Cherry-picks a specific commit into a target branch. **File:** `dependabot-azp-trigger.yml` -Automatically comments `/azp run PR` on pull requests opened or updated by Dependabot, triggering Azure Pipelines CI without manual intervention. +Automatically comments `/azp run PR` on pull requests opened or updated by Dependabot, triggering Azure Pipelines CI without manual intervention. The comment is posted using rnbot's PAT (`RNBOT_GITHUB_PAT`) so AZP recognizes the trigger. **Trigger:** Runs on `pull_request_target` events (`opened`, `synchronize`, `reopened`) when the PR author is `dependabot[bot]`. +**Setup:** Requires a `RNBOT_GITHUB_PAT` GitHub Actions secret containing rnbot's personal access token with `repo` scope. + **Notes:** -- Uses `pull_request_target` so the workflow has write permissions to comment on Dependabot PRs - Checks `github.event.pull_request.user.login` (not `github.actor`) so it still triggers when a maintainer clicks "Update branch" - Fires on `opened`, `synchronize` (new pushes/rebases), and `reopened` events \ No newline at end of file diff --git a/.github/workflows/dependabot-azp-trigger.yml b/.github/workflows/dependabot-azp-trigger.yml index ce0a48a8670..0c4072a6bf1 100644 --- a/.github/workflows/dependabot-azp-trigger.yml +++ b/.github/workflows/dependabot-azp-trigger.yml @@ -4,9 +4,6 @@ on: pull_request_target: types: [opened, synchronize, reopened] -permissions: - pull-requests: write - jobs: trigger-azp: if: github.event.pull_request.user.login == 'dependabot[bot]' @@ -14,7 +11,7 @@ jobs: steps: - name: Comment /azp run PR env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.RNBOT_GITHUB_PAT }} run: | gh pr comment "${{ github.event.pull_request.number }}" \ --repo "${{ github.repository }}" \