Template repository changes: remal-github-actions/template-typescript

Author: remal-github-actions

.github/workflows/build.yml

@@ -6,6 +6,9 @@ on:
     - main
   pull_request: { }
 
+permissions:
+  id-token: write
+
 defaults:
   run:
     shell: bash
@@ -23,10 +26,18 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
+    - name: Get GitHub Token
+      id: get-token
+      uses: remal/github-repository-token-issuer@v1
+      with:
+        scopes: |
+          contents: write
+          workflows: write
+
     - name: Checkout repository
       uses: actions/checkout@v6
       with:
-        token: ${{secrets.PUSH_BACK_TOKEN}}
+        token: ${{steps.get-token.outputs.token}}
         submodules: recursive
         lfs: true
         fetch-depth: 1

.github/workflows/rebase-dependabot-pull-requests.yml

@@ -12,9 +12,7 @@ on:
   workflow_dispatch: { }
 
 permissions:
-  pull-requests: write
-  issues: write
-  contents: read
+  id-token: write
 
 concurrency:
   group: rebase-dependabot-pull-requests-${{github.ref}}
@@ -30,5 +28,16 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
+    - name: Get GitHub Token
+      id: get-token
+      uses: remal/github-repository-token-issuer@v1
+      with:
+        scopes: |
+          pull_requests: write
+          issues: write
+          contents: read
+
     - name: Rebase Dependabot pull requests
       uses: remal-github-actions/rebase-dependabot-pull-requests@v1
+      with:
+        githubToken: ${{steps.get-token.outputs.token}}

.mergify/config.yml

@@ -25,6 +25,7 @@ pull_request_rules:
 
 - name: Sync with template
   conditions:
+  - 'author~=^(remal|repository-token-issuer\[bot\])$'
   - 'author=remal'
   - 'label=sync-with-template'
   - '#added-files=0'