Committing changes (#277)

Co-authored-by: dependjinbot <dependjinbot@endjin.com>

.github/workflows/auto_merge.yml

@@ -22,46 +22,29 @@ on:
   # Success statuses can unblock the corresponding
   # pull requests and make them mergeable.
   status: {}
+  workflow_run:
+    workflows: [approve_and_label]
+    types:
+    - completed
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+  checks: read
 
 jobs:
-  check_pr_from_fork:
-    name: Check PR from fork
-    runs-on: ubuntu-18.04
-    outputs: 
-      is_forked_pr: ${{ steps.check_pr_source.outputs.result }}
-    steps:
-      - name: Check PR source
-        id: check_pr_source
-        uses: actions/github-script@v2
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          # For PR-based events returns 'true' when the HEAD originates from a forked repo
-          # We do this to avoid security issues
-          script: |
-            return ( !(context.payload.pull_request) ? false : (
-              context.payload.pull_request.head.repo.full_name !== context.payload.pull_request.base.repo.full_name)
-            );
 
   auto_merge:
     name: Auto-squash the PR
     runs-on: ubuntu-18.04
-    # Don't run when the triggering event originates from a forked repos
-    needs: check_pr_from_fork
-    if: |
-      needs.check_pr_from_fork.outputs.is_forked_pr == 'false'
     steps:
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@v1
-        with:
-          app_id: ${{ secrets.ENDJIN_BOT_APP_ID }}
-          private_key: ${{ secrets.ENDJIN_BOT_PRIVATE_KEY }}
       # This may not be strictly required, but should keep unmerged, closed PRs cleaner
       - name: Remove 'autosquash' label from closed PRs
         id: remove_autosquash_label_from_closed_prs
         uses: actions/github-script@v2
         with:
-          github-token: '${{ steps.generate_token.outputs.token }}'
+          github-token: '${{ secrets.GITHUB_TOKEN }}'
           script: |
             const pulls = await github.search.issuesAndPullRequests({
               q: 'is:pr is:closed label:autosquash',
@@ -80,6 +63,6 @@ jobs:
                 name: 'autosquash'
               });
             }
-      - uses: endjin/autosquash@v2.2
+      - uses: endjin/autosquash@v2.4
         with:
-          github_token: '${{ steps.generate_token.outputs.token }}'
+          github_token: '${{ secrets.GITHUB_TOKEN }}'

.github/workflows/dependabot_approve_and_label.yml

@@ -3,6 +3,10 @@ on:
   pull_request:
     types: [opened, reopened]
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   evaluate_dependabot_pr:
     runs-on: ubuntu-latest
@@ -42,7 +46,7 @@ jobs:
           echo "is_interesting_package (merge) : ${{ steps.parse_dependabot_pr_automerge.outputs.is_interesting_package }}"
           echo "is_interesting_package (release) : ${{ steps.parse_dependabot_pr_autorelease.outputs.is_interesting_package }}"
           echo "semver_increment : ${{ steps.parse_dependabot_pr_automerge.outputs.semver_increment }}"
-
+  
   approve:
     runs-on: ubuntu-latest
     needs: evaluate_dependabot_pr
@@ -62,19 +66,13 @@ jobs:
           echo "to_version       : ${{needs.evaluate_dependabot_pr.outputs.version_to}}"
           echo "<------------------------------------------------>"
         shell: bash
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@v1
-        with:
-          app_id: ${{ secrets.ENDJIN_BOT_APP_ID }}
-          private_key: ${{ secrets.ENDJIN_BOT_PRIVATE_KEY }}
       - name: Approve pull request
         if: |
           needs.evaluate_dependabot_pr.outputs.is_auto_merge_candidate == 'True' &&
           (needs.evaluate_dependabot_pr.outputs.semver_increment == 'minor' || needs.evaluate_dependabot_pr.outputs.semver_increment == 'patch')
         uses: andrewmusgrave/automatic-pull-request-review@0.0.2
         with:
-          repo-token: '${{ steps.generate_token.outputs.token }}'
+          repo-token: '${{ secrets.GITHUB_TOKEN }}'
           event: APPROVE
           body: 'Thank you dependabot 🎊'
       - name: 'Update PR body'
@@ -83,34 +81,27 @@ jobs:
           (needs.evaluate_dependabot_pr.outputs.semver_increment == 'minor' || needs.evaluate_dependabot_pr.outputs.semver_increment == 'patch')
         uses: actions/github-script@v2
         with:
-          github-token: '${{ steps.generate_token.outputs.token }}'
+          github-token: '${{ secrets.GITHUB_TOKEN }}'
           script: |
             await github.pulls.update({
               owner: context.payload.repository.owner.login,
               repo: context.payload.repository.name,
               pull_number: context.payload.pull_request.number,
               body: "Bumps '${{needs.evaluate_dependabot_pr.outputs.dependency_name}}' from ${{needs.evaluate_dependabot_pr.outputs.version_from}} to ${{needs.evaluate_dependabot_pr.outputs.version_to}}"
             })
-
   label:
     runs-on: ubuntu-latest
     needs: evaluate_dependabot_pr
     name: Label
     steps:
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@v1
-        with:
-          app_id: ${{ secrets.ENDJIN_BOT_APP_ID }}
-          private_key: ${{ secrets.ENDJIN_BOT_PRIVATE_KEY }}
       - name: 'Label auto-mergeable dependabot PRs with "autosquash"'
         if: |
           (github.actor == 'dependabot[bot]' || github.actor == 'dependjinbot[bot]' || github.actor == 'nektos/act') &&
           needs.evaluate_dependabot_pr.outputs.is_auto_merge_candidate == 'True' &&
           (needs.evaluate_dependabot_pr.outputs.semver_increment == 'minor' || needs.evaluate_dependabot_pr.outputs.semver_increment == 'patch')
         uses: actions/github-script@v2
         with:
-          github-token: '${{ steps.generate_token.outputs.token }}'
+          github-token: '${{ secrets.GITHUB_TOKEN }}'
           script: |
             await github.issues.addLabels({
               owner: context.payload.repository.owner.login,