fix(ci/automerge): use PAT token

- GitHub does not allow ordinary GITHUB_TOKEN to trigger other
  workflows, probably to avoid endless recursion
- using PAT might fix this

Signed-off-by: AtomicFS <[email protected]>

.cspell.json

@@ -51,6 +51,7 @@
     "acpica",
     "addinivalue",
     "addoption",
+    "automerge",
     "autopep",
     "blkio",
     "bsdmainutils",

.github/workflows/bot--automerge.yml

@@ -10,6 +10,7 @@ permissions: read-all
 
 jobs:
   # Enable auto-merge on all pull requests by default
+  # Docs: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request
   enable-auto-merge:
     runs-on: ubuntu-latest
     permissions:
@@ -21,12 +22,14 @@ jobs:
         uses: actions/checkout@v4
       - name: Enable pull request auto-merge
         run: |
-          gh pr merge --auto "${{ github.event.pull_request.number }}"
+          gh pr merge --auto "${PR_URL}"
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT_AUTOMERGE }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
 
   # If PR is made by dependabot, automatically approve the PR
   # Linting and all checks will still have to pass in order for the PR to be merged
+  # Docs: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#approve-a-pull-request
   auto-approve-dependabot:
     runs-on: ubuntu-latest
     permissions:
@@ -36,8 +39,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Auto approve dependabot pull requests
-        if: github.actor == 'dependabot[bot]'
+        if: ${{ github.actor == 'dependabot[bot]' }}
         run: |
-          gh pr review "${{ github.event.pull_request.number }}" --approve
+          gh pr review "${PR_URL}" --approve
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}