From f263cae63ad20725e901208301e0464e37f4fd94 Mon Sep 17 00:00:00 2001
From: Jeff Widman <jeff@jeffwidman.com>
Date: Thu, 21 Mar 2024 03:44:52 +0000
Subject: [PATCH] Scope app token to only this repo for security

https://github.com/dependabot/fetch-metadata/pull/442 bumped to a new version
of this action which now supports a `"repositories"` key that scopes the token
to the designated repositories.
---
 .github/workflows/dependabot-auto-merge.yml     | 1 +
 .github/workflows/dependabot-build.yml          | 1 +
 .github/workflows/release-bump-version.yml      | 1 +
 .github/workflows/release-move-tracking-tag.yml | 1 +
 4 files changed, 4 insertions(+)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 597497c6..ae0ece41 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -13,6 +13,7 @@ jobs:
         with:
           app_id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }}
           private_key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }}
+          repositories: "dependabot/fetch-metadata"
 
       - name: Check out code
         uses: actions/checkout@v4
diff --git a/.github/workflows/dependabot-build.yml b/.github/workflows/dependabot-build.yml
index 40be8b65..3635c430 100644
--- a/.github/workflows/dependabot-build.yml
+++ b/.github/workflows/dependabot-build.yml
@@ -37,6 +37,7 @@ jobs:
         with:
           app_id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }}
           private_key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }}
+          repositories: "dependabot/fetch-metadata"
 
       - uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/release-bump-version.yml b/.github/workflows/release-bump-version.yml
index aa5a245c..200df2e6 100644
--- a/.github/workflows/release-bump-version.yml
+++ b/.github/workflows/release-bump-version.yml
@@ -24,6 +24,7 @@ jobs:
         with:
           app_id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }}
           private_key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }}
+          repositories: "dependabot/fetch-metadata"
 
       - uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/release-move-tracking-tag.yml b/.github/workflows/release-move-tracking-tag.yml
index 69327e51..7aedef51 100644
--- a/.github/workflows/release-move-tracking-tag.yml
+++ b/.github/workflows/release-move-tracking-tag.yml
@@ -34,6 +34,7 @@ jobs:
         with:
           app_id: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_APP_ID }}
           private_key: ${{ secrets.FETCH_METADATA_ACTION_AUTOMATION_PRIVATE_KEY }}
+          repositories: "dependabot/fetch-metadata"
 
       - uses: actions/checkout@v4
         with: