From 3d2c3f0700269e3bdcaf36f3e58ae857543af8d5 Mon Sep 17 00:00:00 2001
From: Martin Costello <martin@martincostello.com>
Date: Wed, 6 Sep 2023 14:44:56 +0100
Subject: [PATCH] Use bot token to clone repository (#1554)

- Use the bot token to clone the repository.
- Remove GITHUB_TOKEN permissions.
---
 .github/workflows/on-push-do-docs.yml | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/on-push-do-docs.yml b/.github/workflows/on-push-do-docs.yml
index 78bf38102f0..dc3dcf1e768 100644
--- a/.github/workflows/on-push-do-docs.yml
+++ b/.github/workflows/on-push-do-docs.yml
@@ -6,8 +6,7 @@ on:
     paths: [ "src/Snippets/**" ]
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   update-docs:
@@ -15,8 +14,19 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+
+      - name: Generate GitHub application token
+        id: generate-application-token
+        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db # v2.1.0
+        with:
+          application_id: ${{ secrets.POLLY_UPDATER_BOT_APP_ID }}
+          application_private_key: ${{ secrets.POLLY_UPDATER_BOT_KEY }}
+          permissions: "contents:write, pull_requests:write"
+
       - name: Checkout code
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          token: ${{ steps.generate-application-token.outputs.token }}
 
       - name: Setup .NET SDK
         uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
@@ -64,15 +74,6 @@ jobs:
           git push -u origin $BranchName
           "updated-docs=true" >> $env:GITHUB_OUTPUT
 
-      - name: Generate GitHub application token
-        if: steps.update-docs.outputs.updated-docs == 'true'
-        id: generate-application-token
-        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db # v2.1.0
-        with:
-          application_id: ${{ secrets.POLLY_UPDATER_BOT_APP_ID }}
-          application_private_key: ${{ secrets.POLLY_UPDATER_BOT_KEY }}
-          permissions: "contents:write, pull_requests:write"
-
       - name: Create pull request
         if: steps.update-docs.outputs.updated-docs == 'true'
         uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1