yet another attempt to make dependabot changelogs work (#14021)

* yet another attempt to make dependabot changelogs work * Changelog
author: David Robertson <davidr@element.io> 2022-10-03 15:59:32 +0100
committer: GitHub <noreply@github.com> 2022-10-03 15:59:32 +0100
commit: 3ac0e76b799e0a1930b864fd1884c20f6eeb1f9e (patch)
tree: 9820bf6614270f03bc142708f3de8d8995edee14 /.github
parent: Bump docker/setup-buildx-action from 1 to 2 (#14015) (diff)
download: synapse-3ac0e76b799e0a1930b864fd1884c20f6eeb1f9e.tar.xz
1 files changed, 5 insertions, 0 deletions
diff --git a/.github/workflows/dependabot_changelog.yml b/.github/workflows/dependabot_changelog.yml
index 0349011478..dcad8d4a24 100644
--- a/.github/workflows/dependabot_changelog.yml
+++ b/.github/workflows/dependabot_changelog.yml
@@ -9,6 +9,9 @@ permissions:
   #     https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request
   # for a similar example
   contents: write
+  # The pull_requests "synchronize" event doesn't seem to fire with just `contents: write`, so
+  # CI doesn't run with the new changelog. Maybe `pull_requests: write` will fix this?
+  pull_requests: write
 
 jobs:
   add-changelog:
@@ -27,3 +30,5 @@ jobs:
           git commit -m "Changelog"
           git push
         shell: bash
+  # THIS WORKFLOW HAS VARIOUS WRITE PERMISSIONS---do not add other jobs here unless they
+  # are sufficiently locked down to dependabot only as above.
author	David Robertson <davidr@element.io>	2022-10-03 15:59:32 +0100
committer	GitHub <noreply@github.com>	2022-10-03 15:59:32 +0100
commit	3ac0e76b799e0a1930b864fd1884c20f6eeb1f9e (patch)
tree	9820bf6614270f03bc142708f3de8d8995edee14 /.github
parent	Bump docker/setup-buildx-action from 1 to 2 (#14015) (diff)
download	synapse-3ac0e76b799e0a1930b864fd1884c20f6eeb1f9e.tar.xz