team-pr-auto-approve: Use RestrictedActions auto approver

.github/workflows/team-pr-auto-approve.yml

@@ -13,30 +13,25 @@ on:
       - reopened
       - ready_for_review
 
-permissions:
-  pull-requests: write
-
 jobs:
   approve:
     name: Auto approve
     runs-on: ubuntu-latest
 
     steps:
-      - name: Check if PR author has write access
+      - name: Generate access token
-        id: check-permission
+        id: generate-token
-        uses: actions-cool/check-user-permission@v2
+        uses: actions/create-github-app-token@v1
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          app-id: ${{ vars.RESTRICTED_ACTIONS_DISPATCH_ID }}
-          require: write
+          private-key: ${{ secrets.RESTRICTED_ACTIONS_DISPATCH_KEY }}
-          username: ${{ github.event.pull_request.user.login }}
+          owner: ${{ github.repository_owner }}
-          #technically this would be fine for dependabot but generally bots don't count as team members
+          repositories: RestrictedActions
-          check-bot: true
 
-        #TODO: Some way to avoid unnecessary repeated reviews would be nice here
+      - name: Dispatch restricted action
-
+        uses: peter-evans/repository-dispatch@v3
-      - name: Approve PR if authorized
-        if: steps.check-permission.outputs.require-result == 'true' && steps.check-permission.outputs.check-result == 'false'
-        uses: juliangruber/approve-pull-request-action@v2
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.generate-token.outputs.token }}
-          number: ${{ github.event.pull_request.number }}
+          repository: ${{ github.repository_owner }}/RestrictedActions
+          event-type: auto_approve_collaborator_pr
+          client-payload: '{"repo": "${{ github.repository }}", "pull_request_id": "${{ github.event.pull_request.number }}" }'