Fix the GHA permission issue. (#89)

Author: larry-aptos

.github/workflows/update-proto-dependency.yaml

@@ -13,6 +13,11 @@ on:
         required: true
         default: 'main'
 
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+
 jobs:
   update-the-dependency:
     runs-on: ubuntu-latest
@@ -22,23 +27,26 @@ jobs:
         with:
           workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
           service_account: ${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}
-      - name: Fetch the Git Credentials
+      - name: Get Secret Manager Secrets
         id: secrets
         uses: 'google-github-actions/get-secretmanager-secrets@v2'
         with:
           secrets: |-
-            github_credentials:aptos-ci/GIT_CREDENTIALS
-      - name: Setup git credentials
-        shell: bash
+            token:aptos-ci/github-actions-repository-dispatch
+      - name: Configure Git user
         run: |
-          git config --global credential.helper store
-          echo "${{ steps.secrets.outputs.github_credentials }}" > ~/.git-credentials
+          git config --global user.name "Aptos Bot"
+          git config --global user.email "[email protected]"
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          token: ${{ steps.secrets.outputs.token }}
       - name: Setup Rust
         uses: actions-rust-lang/setup-rust-toolchain@v1
+
       - name: Install toml
         run: cargo install toml-cli
+      
       - name: Update the dependency
         run: |
           set -e
@@ -53,25 +61,30 @@ jobs:
            git add Cargo.toml
            git commit -m "Update aptos-protos to ${{ github.event.inputs.commit_hash || github.event.client_payload.commit_hash }}"
            git push origin "$branch_name" --force
+        env:
+          GITHUB_TOKEN: ${{ steps.secrets.outputs.token }}
         working-directory: aptos-indexer-processors-sdk/
+        
       - name: Check if PR Already Exists
         id: check_pr
         run: |
-          branch_name="${{ github.event.client_payload.branch_name }}-update-aptos-protos"
+          branch_name="${{ github.event.inputs.branch_name || github.event.client_payload.branch_name }}-update-aptos-protos"
           existing_pr=$(gh pr list --base main --head "$branch_name" --json number --jq '.[].number')
           if [ -n "$existing_pr" ]; then
             echo "::set-output name=if_pr_exists::true"
           else
             echo "::set-output name=if_pr_exists::false"
           fi
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.secrets.outputs.token }}
       - name: Create Pull Request
         if: steps.check_pr.outputs.if_pr_exists == 'false'
         run: |
-          branch_name="${{ github.event.client_payload.branch_name }}-update-aptos-protos"
+          branch_name="${{ github.event.inputs.branch_name || github.event.client_payload.branch_name }}-update-aptos-protos"
           gh pr create --title "Update aptos-protos to upstream branch ${{ github.event.client_payload.branch_name }}" \
                        --body "This PR updates aptos-protos to new version." \
                        --base main \
                        --head "$branch_name" \
                        --label "indexer-sdk-update"
+        env:
+          GITHUB_TOKEN: ${{ steps.secrets.outputs.token }}