Adjust permissions of update-doc-db job

ShaharNaveh · ShaharNaveh · commit 311a7bd88d6f · 2026-03-24T02:39:34.000+01:00
diff --git a/.github/workflows/update-doc-db.yml b/.github/workflows/update-doc-db.yml
@@ -1,8 +1,6 @@
 name: Update doc DB
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -22,6 +20,8 @@ defaults:
 
 jobs:
   generate:
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
@@ -54,17 +54,19 @@ jobs:
   merge:
     runs-on: ubuntu-latest
     needs: generate
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: true
           ref: ${{ inputs.base-ref }}
-          token: ${{ secrets.AUTO_COMMIT_PAT }}
 
       - name: Create update branch
+        run: git switch -c "update-doc-${PYTHON_VERSION}"
         env:
           PYTHON_VERSION: ${{ inputs.python-version }}
-        run: git switch -c "update-doc-${PYTHON_VERSION}"
 
       - name: Download generated doc DBs
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
@@ -107,7 +109,7 @@ jobs:
 
       - name: Commit, push and create PR
         env:
-          GH_TOKEN: ${{ secrets.AUTO_COMMIT_PAT }}
+          GH_TOKEN: ${{ github.token }}
           PYTHON_VERSION: ${{ inputs.python-version }}
           BASE_REF: ${{ inputs.base-ref }}
         run: |
