From 62673a0678c9df780764a82f0392501869710f55 Mon Sep 17 00:00:00 2001
From: Todd Treece <360020+toddtreece@users.noreply.github.com>
Date: Fri, 3 Jan 2025 15:51:54 -0500
Subject: [PATCH] [ci] Update go workspace action permissions (#561)

* adds `id-token: write` permission, which is needed to prevent [this
error](https://github.com/grafana/grafana-app-sdk/actions/runs/12599467998/job/35116430246#step:2:49)
* switch back to github action bot in git commits (this fix is already
applied on the LTS branch)
* prevent forks from triggering go workspace action
---
 .github/workflows/dependabot.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
index 5432cba0..cbc2d5f6 100644
--- a/.github/workflows/dependabot.yml
+++ b/.github/workflows/dependabot.yml
@@ -15,10 +15,11 @@ on:
       - '**.go'
 permissions:
   contents: write
+  id-token: write
 jobs:
   update:
     runs-on: "ubuntu-latest"
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
     continue-on-error: true
     steps:
     - name: Retrieve GitHub App secrets
@@ -51,8 +52,8 @@ jobs:
     
     - name: Configure Git
       run: |
-          git config --local user.email "${APP_INSTALLATION_ID}+grafana-go-workspace-bot[bot]@users.noreply.github.com"
-          git config --local user.name "grafana-go-workspace-bot[bot]"
+          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
           git config --local --add --bool push.autoSetupRemote true
 
     - name: Update workspace