From 311a7bd88d6f05cdc0741373dd1e53c701d5cf1e Mon Sep 17 00:00:00 2001
From: ShaharNaveh <50263213+ShaharNaveh@users.noreply.github.com>
Date: Tue, 24 Mar 2026 02:29:32 +0100
Subject: [PATCH] Adjust permissions of `update-doc-db` job

---
 .github/workflows/update-doc-db.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/update-doc-db.yml b/.github/workflows/update-doc-db.yml
index 3b41a4df2e8..bcb766e0a35 100644
--- a/.github/workflows/update-doc-db.yml
+++ b/.github/workflows/update-doc-db.yml
@@ -1,8 +1,6 @@
 name: Update doc DB
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -22,6 +20,8 @@ defaults:
 
 jobs:
   generate:
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
@@ -54,17 +54,19 @@ jobs:
   merge:
     runs-on: ubuntu-latest
     needs: generate
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: true
           ref: ${{ inputs.base-ref }}
-          token: ${{ secrets.AUTO_COMMIT_PAT }}
 
       - name: Create update branch
+        run: git switch -c "update-doc-${PYTHON_VERSION}"
         env:
           PYTHON_VERSION: ${{ inputs.python-version }}
-        run: git switch -c "update-doc-${PYTHON_VERSION}"
 
       - name: Download generated doc DBs
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
@@ -107,7 +109,7 @@ jobs:
 
       - name: Commit, push and create PR
         env:
-          GH_TOKEN: ${{ secrets.AUTO_COMMIT_PAT }}
+          GH_TOKEN: ${{ github.token }}
           PYTHON_VERSION: ${{ inputs.python-version }}
           BASE_REF: ${{ inputs.base-ref }}
         run: |