security: update GitHub workflows to use ISSUES_BOT_TOKEN instead of GITHUB_TOKEN (#4606)

.github/workflows/issues-auto-manager.yml

@@ -32,7 +32,7 @@ jobs:
         with:
           configuration-path: .github/issues-auto-labels.yml
           enable-versioned-regex: 0
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          repo-token: ${{ secrets.ISSUES_BOT_TOKEN }}
 
   label-on-labels:
     name: 🏷️ Label Issues by Labels
@@ -46,7 +46,7 @@ jobs:
         uses: actions-cool/issues-helper@v3.6.0
         with:
           actions: 'add-labels'
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.ISSUES_BOT_TOKEN }}
           labels: '👍 Approved'
 
       - name: ❌ Remove progress labels when issue is marked done or stale
@@ -56,7 +56,7 @@ jobs:
         uses: actions-cool/issues-helper@v3.6.0
         with:
           actions: 'remove-labels'
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.ISSUES_BOT_TOKEN }}
           labels: '🧑‍💻 In Progress,🤔 Unsure,🤔 Under Consideration'
 
       - name: ❌ Remove temporary labels when confirmed labels are added
@@ -66,7 +66,7 @@ jobs:
         uses: actions-cool/issues-helper@v3.6.0
         with:
           actions: 'remove-labels'
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.ISSUES_BOT_TOKEN }}
           labels: '🤔 Unsure,🤔 Under Consideration'
 
       - name: ❌ Remove no bug labels when "🪲 Confirmed" is added
@@ -76,7 +76,7 @@ jobs:
         uses: actions-cool/issues-helper@v3.6.0
         with:
           actions: 'remove-labels'
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.ISSUES_BOT_TOKEN }}
           labels: '✖️ Not Reproducible,✖️ Not A Bug'
 
   remove-stale-label:
@@ -92,7 +92,7 @@ jobs:
         uses: actions-cool/issues-helper@v3.6.0
         with:
           actions: 'remove-labels'
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.ISSUES_BOT_TOKEN }}
           issue-number: ${{ github.event.issue.number }}
           labels: '⚰️ Stale,🕸️ Inactive,🚏 Awaiting User Response,🛑 No Response'
 
@@ -113,4 +113,4 @@ jobs:
         uses: peaceiris/actions-label-commenter@v1.10.0
         with:
           config_file: .github/issues-auto-comments.yml
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ secrets.ISSUES_BOT_TOKEN }}

.github/workflows/issues-updates-on-merge.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Label Linked Issues
         id: label_linked_issues
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.ISSUES_BOT_TOKEN }}
         run: |
             for ISSUE in $(echo $issues | jq -r '.[]'); do
             if [ "${{ github.ref }}" == "refs/heads/staging" ]; then

.github/workflows/job-close-stale.yml

@@ -22,7 +22,7 @@ jobs:
         # https://github.com/marketplace/actions/close-stale-issues
         uses: actions/stale@v9.1.0
         with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          repo-token: ${{ secrets.ISSUES_BOT_TOKEN }}
           days-before-stale: 183
           days-before-close: 7
           operations-per-run: 30
@@ -56,7 +56,7 @@ jobs:
         # https://github.com/marketplace/actions/close-stale-issues
         uses: actions/stale@v9.1.0
         with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          repo-token: ${{ secrets.ISSUES_BOT_TOKEN }}
           days-before-stale: 7
           days-before-close: 7
           operations-per-run: 30
@@ -83,7 +83,7 @@ jobs:
         # https://github.com/marketplace/actions/close-stale-issues
         uses: actions/stale@v9.1.0
         with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          repo-token: ${{ secrets.ISSUES_BOT_TOKEN }}
           days-before-stale: 7
           days-before-close: 7
           operations-per-run: 30

.github/workflows/on-close-handler.yml

@@ -23,6 +23,6 @@ jobs:
         uses: actions-cool/issues-helper@v3.6.0
         with:
           actions: remove-labels
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.ISSUES_BOT_TOKEN }}
           issue-number: ${{ github.event.issue.number || github.event.pull_request.number }}
           labels: '🚏 Awaiting User Response,🧑‍💻 In Progress,📌 Keep Open,🚫 Merge Conflicts,🔬 Needs Testing,🔨 Needs Work,⚰️ Stale,⛔ Waiting For External/Upstream'

.github/workflows/on-open-handler.yml

@@ -24,6 +24,6 @@ jobs:
         uses: actions-cool/issues-helper@v3.6.0
         with:
           actions: 'add-labels'
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.ISSUES_BOT_TOKEN }}
           issue-number: ${{ github.event.issue.number || github.event.pull_request.number }}
           labels: '👷 Maintainer'

.github/workflows/pr-auto-manager.yml

@@ -76,7 +76,7 @@ jobs:
         # https://github.com/marketplace/actions/pull-request-size-labeler
         uses: codelytv/pr-size-labeler@v1.10.2
         with:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.ISSUES_BOT_TOKEN }}
           xs_label: '🟩 ⬤○○○○'
           xs_max_size: '20'
           s_label: '🟩 ⬤⬤○○○'
@@ -109,7 +109,7 @@ jobs:
         uses: actions/labeler@v5.0.0
         with:
           configuration-path: .github/pr-auto-labels-by-branch.yml
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          repo-token: ${{ secrets.ISSUES_BOT_TOKEN }}
 
   label-by-files:
     name: 🏷️ Label PR by Files
@@ -129,7 +129,7 @@ jobs:
         uses: actions/labeler@v5.0.0
         with:
           configuration-path: .github/pr-auto-labels-by-files.yml
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          repo-token: ${{ secrets.ISSUES_BOT_TOKEN }}
 
   remove-stale-label:
     name: 🗑️ Remove Stale Label on Comment
@@ -150,7 +150,7 @@ jobs:
         uses: actions-cool/issues-helper@v3.6.0
         with:
           actions: 'remove-labels'
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.ISSUES_BOT_TOKEN }}
           issue-number: ${{ github.event.pull_request.number }}
           labels: '⚰️ Stale'
 
@@ -250,7 +250,7 @@ jobs:
           PR_NUMBER=${{ github.event.pull_request.number }}
           REPO=${{ github.repository }}
           API_URL="https://api.github.com/repos/$REPO/pulls/$PR_NUMBER/issues"
-          ISSUES=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "$API_URL" | jq -r '.[].number' | jq -R -s -c 'split("\n")[:-1]')
+          ISSUES=$(curl -s -H "Authorization: token ${{ secrets.ISSUES_BOT_TOKEN }}" "$API_URL" | jq -r '.[].number' | jq -R -s -c 'split("\n")[:-1]')
           echo "linked_issues=$ISSUES" >> $GITHUB_ENV
 
       - name: Merge Issue Lists
@@ -262,7 +262,7 @@ jobs:
       - name: Label Linked Issues
         id: label_linked_issues
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.ISSUES_BOT_TOKEN }}
         run: |
           for ISSUE in $(echo $final_issues | jq -r '.[]'); do
             gh issue edit $ISSUE -R ${{ github.repository }} --add-label "✅ Done (staging)" --remove-label "🧑‍💻 In Progress"

.github/workflows/pr-check-merge-conflicts.yaml

@@ -23,6 +23,6 @@ jobs:
         uses: eps1lon/actions-label-merge-conflict@v3.0.3
         with:
           dirtyLabel: '🚫 Merge Conflicts'
-          repoToken: ${{ secrets.GITHUB_TOKEN }}
+          repoToken: ${{ secrets.ISSUES_BOT_TOKEN }}
           commentOnDirty: >
             ⚠️ This PR has conflicts that need to be resolved before it can be merged.