Use bot token to clone repository (#1554)

martincostello · web-flow · commit 3d2c3f070026 · 2023-09-06T13:44:56.000Z
- Use the bot token to clone the repository.
- Remove GITHUB_TOKEN permissions.
diff --git a/.github/workflows/on-push-do-docs.yml b/.github/workflows/on-push-do-docs.yml
@@ -6,17 +6,27 @@ on:
     paths: [ "src/Snippets/**" ]
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   update-docs:
     name: update-docs
     runs-on: ubuntu-latest
 
     steps:
+
+      - name: Generate GitHub application token
+        id: generate-application-token
+        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db # v2.1.0
+        with:
+          application_id: ${{ secrets.POLLY_UPDATER_BOT_APP_ID }}
+          application_private_key: ${{ secrets.POLLY_UPDATER_BOT_KEY }}
+          permissions: "contents:write, pull_requests:write"
+
       - name: Checkout code
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          token: ${{ steps.generate-application-token.outputs.token }}
 
       - name: Setup .NET SDK
         uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
@@ -64,15 +74,6 @@ jobs:
           git push -u origin $BranchName
           "updated-docs=true" >> $env:GITHUB_OUTPUT
 
-      - name: Generate GitHub application token
-        if: steps.update-docs.outputs.updated-docs == 'true'
-        id: generate-application-token
-        uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db # v2.1.0
-        with:
-          application_id: ${{ secrets.POLLY_UPDATER_BOT_APP_ID }}
-          application_private_key: ${{ secrets.POLLY_UPDATER_BOT_KEY }}
-          permissions: "contents:write, pull_requests:write"
-
       - name: Create pull request
         if: steps.update-docs.outputs.updated-docs == 'true'
         uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
