Fine-grained PATs will also work

[jagthedrummer]

One of the strikes against using a PAT was the fact that they're not scoped to a repo, but recently GitHub has introduced "Fine-grained tokens" which can be scoped to a single repo.

I just ran some tests and can confirm that a fine-grained token will do the trick as long as you give it read/write access to "Contents" and "Pull Requests" under the "Repository Permissions" section. (Note that the "Metadata" permission will automatically be set to Read-only when you select either of the previously mentioned settings.)

Just thought I'd drop a note to help anyone who might be wondering.

[peter-evans]

Hi @jagthedrummer

Fine-grained PATs may work for some use cases, but not all. They are still in beta and some GitHub APIs don't support them yet.

For example, #1791

This is why I'm not updating the docs to make it the preferred method yet.
#1937

[rettenbs]

One thing I noticed: If the pull requests updates the workflows of the repository, the fine grain token needs the "Workflows" permission as well. Make sense to me but it took me awhile to figure it out.

[peter-evans]

For the upcoming v7 release I've been doing lots of testing with fine-grained permissions (both fine-grained PATs and GitHub App generated tokens). I've resolved a couple of issues and I'm now more confident that this action works fine with fine-grained tokens for all the use cases my test suite covers.

The new documentation for the v7 release is now updated to cover fine-grained tokens.

This issue can remain open for now and will be closed out on release of v7.