Allow dependabot PRs to complete without write access

[Andy-Grigg]

Use a token to checkout the repo if we are potentially going to create a commit.

Dependabot-authored CI is currently failing because it doesn't have write permissions to the repo. I believe this is because the default token that is used for dependabot PRs doesn't have those permissions.

According to the EndBug/add-and-commit action, this token should be added when the repo is first cloned. Not 100% certain this is the right token, but we'll find out if we merge this and rebase the dependabot PR.

This PR is a testing ground to investigate ways of allowing dependabot PRs to complete without repository write access.

[Andy-Grigg]

@da1910 Looks like the token is valid, and in your name, but doesn't have permissions. Do you remember what it was created for, and if it should have write permissions?

[da1910]

@da1910 Looks like the token is valid, and in your name, but doesn't have permissions. Do you remember what it was created for, and if it should have write permissions?

This token has only READ_PACKAGE permission, intended for pulling the code generator package. We could make a new token for this purpose, it'll need adding as an actions secret.

I'm somewhat 👎 to the idea of adding commits inside a dependabot workflow run however...

[Andy-Grigg]

@da1910 Looks like the token is valid, and in your name, but doesn't have permissions. Do you remember what it was created for, and if it should have write permissions?

This token has only READ_PACKAGE permission, intended for pulling the code generator package. We could make a new token for this purpose, it'll need adding as an actions secret.

I'm somewhat 👎 to the idea of adding commits inside a dependabot workflow run however...

Well I think there are three possible outcomes from a dependabot run:

1. No changes to the autogenerated code
2. Changes to the autogenerated code, but the tests all still pass and everything is good
3. Changes to the autogenerated code, and something is broken

Of those 3 scenarios, 1. is going to happen the majority of the time, and so committing anything is a bad idea. But if 2. does happen, committing that change is the right thing to do.

This is already sort of what's happening, it's just that the build number always gets bumped which triggers the commit. Maybe for dependabot we can think of a way of ignoring this change, and then only commit if something else has changed.

[Andy-Grigg]

The current CI shows an example of adjusting the version number passed into the code autogeneration when dependabot runs. There are probably nicer ways of doing it, but the grep example illustrates the point. When the code generation runs, there are no actual changes required, and so the git step doesn't do anything. This should mean the dependabot PR will succeed, assuming there are no changes.

If there are changes a human will have to intervene, but this will be required anyway.

Another approach would be to eliminate the version bumping from the process altogether. I think it's useful for human-led PRs though, so I'm inclined to keep it.