From 9f1a0a2d59384f4d2e2919ed203b782c0e60028e Mon Sep 17 00:00:00 2001
From: Michael Waddell <michael@waddellnet.com>
Date: Tue, 22 Mar 2022 13:55:33 -0500
Subject: [PATCH 1/2] Updated readme for when you need to use a PAT

---
 README.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 948aab25..55680b6c 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,7 @@ jobs:
       with:
         alert-lookup: true
         compat-lookup: true
+        github-token: "${{ secrets.PAT_TOKEN }}"
 ```
 
 Supported inputs are:
@@ -33,6 +34,7 @@ Supported inputs are:
 - `github-token` (string)
   - The `GITHUB_TOKEN` secret
   - Defaults to `${{ github.token }}`
+  - Note: this must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) if you enable `alert-lookup` or `compat-token`.
 - `alert-lookup` (boolean)
   - If `true`, then populate the `alert-state`, `ghsa-id` and `cvss` outputs.
   - Defaults to `false`
@@ -98,13 +100,12 @@ jobs:
         run: gh pr review --approve "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
 ```
 
 ### Enabling auto-merge
 
 If you are using [the auto-merge feature](https://docs.github.com/en/github/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) on your repository,
-you can set up an action that will enable Dependabot PRs to merge once CI and other [branch protection rules](https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule) are met.
+you can set up an action that will enable Dependabot PRs to merge once CI and other [branch protection rules](https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule) are met.  (Note that you must use a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) when executing the merge instruction.)
 
 For example, if you want to automatically merge all patch updates to Rails:
 
@@ -127,7 +128,7 @@ jobs:
         run: gh pr merge --auto --merge "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_TOKEN: ${{secrets.PAT_TOKEN}}
 ```
 
 ### Labelling
@@ -156,5 +157,4 @@ jobs:
         run: gh pr edit "$PR_URL" --add-label "production"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
 ```

From a70ed12cac3290ede3178baf5937a897b1bb3baa Mon Sep 17 00:00:00 2001
From: Michael Waddell <michael@waddellnet.com>
Date: Tue, 22 Mar 2022 13:58:58 -0500
Subject: [PATCH 2/2] put those back to be more explicit

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 55680b6c..fc837bbb 100644
--- a/README.md
+++ b/README.md
@@ -100,6 +100,7 @@ jobs:
         run: gh pr review --approve "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
 ```
 
 ### Enabling auto-merge
@@ -157,4 +158,5 @@ jobs:
         run: gh pr edit "$PR_URL" --add-label "production"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
 ```