From 8826b5fdfc22a916611f0cda9531549a395f247a Mon Sep 17 00:00:00 2001
From: Jayanth Koushik <mail@jkoushik.me>
Date: Mon, 8 Jul 2024 18:56:32 -0700
Subject: [PATCH] fix: fix `update-pre-commit-hooks` workflow

The `update-pre-commit-hooks` workflow used `REPO_PAT` as its token,
which caused it fail with the default permissions suggested for the
token (repo restricted 'contents:write' and 'pull_requests:write').
Custom tokens, used to allow pull requests to trigger workflows, need to
be global. This commit simply removes the dependence on `REPO_PAT`, and
uses the default `GITHUB_TOKEN` in the workflow--consequently the pull
request made by `update-pre-commit-hooks` will not trigger `check-pr`.
Additionally, 'pull_requests:write' is no longer listed as a required
permission for `REPO_PAT`.
---
 README.md                                      | 18 +++++++++---------
 dist/pyseed.py                                 |  6 ++----
 ...date_pre_commit_hooks_workflow.template.yml |  1 -
 src/pyseed.py                                  |  5 ++---
 4 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index da83fba..72b220b 100644
--- a/README.md
+++ b/README.md
@@ -218,9 +218,9 @@ The following operations are involved:
       permissions, used to create the GitHub repository. This token can
       be shared between projects, but it is highly recommended to create
       a separate token just for shiny-pyseed.
-   2. A token with 'contents:write' and 'pull_requests:write'
-      permissions for the project repository. This token is used for
-      creating GitHub releases and publishing the website.
+   2. A token with 'contents:write' permission for the project
+      repository. This token is used for creating GitHub releases and
+      publishing the website.
 2. The user will also need to create a PyPI access token for uploading
    releases to PyPI. For details, see <https://pypi.org/help/#apitoken>.
 3. The GitHub API is called to create a repository with the same name as
@@ -647,8 +647,8 @@ which are created by the optional second phase of the bootstrap script.
 They will need to be created manually if this phase was skipped. This
 section will indicate which of the following two secrets are needed by
 different workflows. `REPO_PAT` is a GitHub access token with
-'contents:write' and 'pull_requests:write' premissions for the
-repository, and `PYPI_TOKEN` is an access key for PyPI.
+'contents:write' premission for the repository, and `PYPI_TOKEN` is an
+access key for PyPI.
 
 **`release-new-version.yml`**
 This is the workflow for creating a new release of the project. It needs
@@ -686,7 +686,7 @@ windows-latest) and Python versions (configured during bootstrap).
 
 **`update-pre-commit-hooks.yml`**
 This workflow calls `pre-commit autoupdate` to update hooks to their
-latest version. If there are any changes, it will create a pull request;
-this requires the `REPO_PAT` secret. By default, this workflow will run
-automatically every month. This can be skipped during bootstrap;
-alternatively, update or remove the `schedule` section in the workflow.
+latest version. If there are any changes, it will create a pull request.
+By default, this workflow will run automatically every month. This can
+be skipped during bootstrap; alternatively, update or remove the
+`schedule` section in the workflow.
diff --git a/dist/pyseed.py b/dist/pyseed.py
index 5db0a77..a4f5259 100755
--- a/dist/pyseed.py
+++ b/dist/pyseed.py
@@ -1033,9 +1033,8 @@ def setup_github(config: dict[ConfigKey, Any]):
         release_token = getpass(
             f"\n[https://github.com/settings/personal-access-tokens/new] "
             f"create a personal access token with 'contents:write' "
-            f"and 'pull_requests:write' permissions for this project's repo "
-            f"({repo_owner}/{project_name}), and enter it here "
-            f"(or leave empty to skip this step): "
+            f"permission for this project's repo ({repo_owner}/{project_name})"
+            f"and enter it here (or leave empty to skip this step): "
         )
         if release_token:
             gh_secrets_manager.upload_actions_secret(
@@ -1823,7 +1822,6 @@ def main():
       - run: pre-commit autoupdate
       - uses: peter-evans/create-pull-request@v6
         with:
-          token: ${{ secrets.REPO_PAT }}
           commit-message: "chore: update pre-commit hooks"
           branch: update-pre-commit-hooks
           title: Update pre-commit hooks
diff --git a/src/data/update_pre_commit_hooks_workflow.template.yml b/src/data/update_pre_commit_hooks_workflow.template.yml
index bb54a9f..180d9d8 100644
--- a/src/data/update_pre_commit_hooks_workflow.template.yml
+++ b/src/data/update_pre_commit_hooks_workflow.template.yml
@@ -16,7 +16,6 @@ jobs:
       - run: pre-commit autoupdate
       - uses: peter-evans/create-pull-request@v6
         with:
-          token: ${{ secrets.REPO_PAT }}
           commit-message: "chore: update pre-commit hooks"
           branch: update-pre-commit-hooks
           title: Update pre-commit hooks
diff --git a/src/pyseed.py b/src/pyseed.py
index e82e1a5..30d26c8 100644
--- a/src/pyseed.py
+++ b/src/pyseed.py
@@ -1031,9 +1031,8 @@ def setup_github(config: dict[ConfigKey, Any]):
         release_token = getpass(
             f"\n[https://github.com/settings/personal-access-tokens/new] "
             f"create a personal access token with 'contents:write' "
-            f"and 'pull_requests:write' permissions for this project's repo "
-            f"({repo_owner}/{project_name}), and enter it here "
-            f"(or leave empty to skip this step): "
+            f"permission for this project's repo ({repo_owner}/{project_name})"
+            f"and enter it here (or leave empty to skip this step): "
         )
         if release_token:
             gh_secrets_manager.upload_actions_secret(