Tidy NGINX PAT usage (#7886)

pdabelf5 · web-flow · commit a41b00c76299 · 2025-06-16T13:08:18.000+01:00
diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml
@@ -21,7 +21,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-          token: ${{ secrets.NGINX_PAT }}
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set release branch variable
         id: branch
@@ -35,6 +35,5 @@ jobs:
         uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3 # v1.0.10
         with:
           branch: ${{ steps.branch.outputs.branch }}
-          token: ${{ secrets.NGINX_PAT }}
-          author: nginx-bot <integrations@nginx.com>
+          token: ${{ secrets.GITHUB_TOKEN }}
           title: "[cherry-pick] {old_title}"
diff --git a/.github/workflows/create-release-branch.yml b/.github/workflows/create-release-branch.yml
@@ -66,4 +66,4 @@ jobs:
               git push --dry-run origin "${branch}"
           fi
         env:
-          GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml
@@ -47,6 +47,7 @@ jobs:
   release:
     permissions:
       contents: write
+      pull-requests: write
     runs-on: ubuntu-22.04
     steps:
       - name: Branch
@@ -60,7 +61,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ steps.branch.outputs.branch }}
-          token: ${{ secrets.NGINX_PAT }}
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Replace
         run: |
@@ -72,10 +73,9 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
-          token: ${{ secrets.NGINX_PAT }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Release ${{ github.event.inputs.new_version }}
           title: Release ${{ github.event.inputs.new_version }}
           branch: docs/release-${{ github.event.inputs.new_version }}
-          author: nginx-bot <integrations@nginx.com>
           body: |
             This automated PR updates the docs for ${{ github.event.inputs.new_version }} release.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -122,7 +122,7 @@ jobs:
             echo "Warning: Tag ${tag} already exists.  Not making any changes"
           fi
         env:
-          GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   mend:
     if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'mend') }}
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -38,7 +38,7 @@ jobs:
         with:
           results_file: results.sarif
           results_format: sarif
-          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
 
           # Publish the results for public repositories to enable scorecard badges. For more details, see
           # https://github.com/ossf/scorecard-action#publishing-results.
diff --git a/.github/workflows/update-docker-sha.yml b/.github/workflows/update-docker-sha.yml
@@ -46,6 +46,7 @@ jobs:
   update-docker-sha:
     permissions:
       contents: write
+      pull-requests: write
     runs-on: ubuntu-22.04
     needs: [vars]
     steps:
@@ -79,7 +80,7 @@ jobs:
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         id: pr
         with:
-          token: ${{ secrets.NGINX_PAT }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Update docker images ${{ steps.update_images.outputs.docker_md5 }}
           title: Docker image update ${{ steps.update_images.outputs.docker_md5 }}
           branch: deps/image-update-${{ needs.vars.outputs.source_branch }}-${{ steps.update_images.outputs.docker_md5 }}
@@ -96,5 +97,5 @@ jobs:
         run: gh pr merge --auto --squash "$PR_URL"
         env:
           PR_URL: ${{ steps.pr.outputs.pull-request-url }}
-          GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         if: ${{ !inputs.dry_run && steps.update_images.outputs.change_detected == 'true' }}
diff --git a/.github/workflows/update-kubernetes-version.yml b/.github/workflows/update-kubernetes-version.yml
@@ -45,7 +45,7 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
-          token: ${{ secrets.NGINX_PAT }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: update kubernetes version to ${{ steps.k8s-version.outputs.version }} in helm schema
           title: update kubernetes version to ${{ steps.k8s-version.outputs.version }} in helm schema
           branch: chore/k8s-${{ steps.k8s-version.outputs.version }}
diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
@@ -27,6 +27,7 @@ jobs:
   version-bump:
     permissions:
       contents: write
+      pull-requests: write
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Repository
@@ -50,11 +51,10 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
-          token: ${{ secrets.NGINX_PAT }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Version Bump for ${{ github.event.inputs.ic_version }}
           title: Version Bump for ${{ github.event.inputs.ic_version }}
           branch: chore/version-bump-${{ github.event.inputs.ic_version }}
-          author: nginx-bot <integrations@nginx.com>
           labels: chore
           body: |
             This automated PR updates the NIC & Helm chart versions for the upcoming ${{ github.event.inputs.ic_version }} release.
