From 982994eded3f7d3703bc2099bb485d29da475bb1 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Thu, 18 Jun 2026 08:36:36 +0200
Subject: [PATCH] Adopt the Dependabot changelog 'draft trick'

Applies the consumer-side changes from logging-parent PR #476:

* `build.yaml` and `codeql-analysis.yaml` now subscribe to the
  `ready_for_review` pull request type, so required checks re-run when a
  Dependabot PR is taken out of draft.
* `process-dependabot.yaml` drops the `RECURSIVE_TOKEN` PAT secret, which
  is no longer needed now that the reusable workflow parks the PR in
  draft mode instead of pushing with a privileged token.

Assisted-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build.yaml              | 7 +++++++
 .github/workflows/codeql-analysis.yaml    | 7 +++++++
 .github/workflows/process-dependabot.yaml | 7 ++-----
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 5d57675bbe1..9566bbb255f 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -24,6 +24,13 @@ on:
       - "2.25.x"
       - "release/2*"
   pull_request:
+    types:
+      # Standard types
+      - opened
+      - synchronize
+      - reopened
+      # Used in Dependabot PRs to retrigger required workflows
+      - ready_for_review
 
 # Cancel in-progress runs when a newer commit lands on the same PR; pushes to 2.x run to completion.
 concurrency:
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
index 139b2c782ce..cf59560a10c 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -22,6 +22,13 @@ on:
     branches: [ "2.x", "main" ]
   pull_request:
     branches: [ "2.x", "main" ]
+    types:
+      # Standard types
+      - opened
+      - synchronize
+      - reopened
+      # Used in Dependabot PRs to retrigger required workflows
+      - ready_for_review
   schedule:
     - cron: '32 12 * * 5'
 
diff --git a/.github/workflows/process-dependabot.yaml b/.github/workflows/process-dependabot.yaml
index 0688b148d3c..d67dfbdebda 100644
--- a/.github/workflows/process-dependabot.yaml
+++ b/.github/workflows/process-dependabot.yaml
@@ -39,13 +39,10 @@ jobs:
       }}
     uses: apache/logging-parent/.github/workflows/process-dependabot-reusable.yaml@gha/v0
     permissions:
-      # The default GITHUB_TOKEN will be used to enable the "auto-merge" on the PR
-      # This requires the following two permissions:
+      # Append the changelog commit
       contents: write
+      # Convert the PR into draft
       pull-requests: write
-    secrets:
-      # This token will be used to push new content to the repo and trigger workflows again
-      RECURSIVE_TOKEN: ${{ secrets.DEPENDABOT_TOKEN }}
     with:
       # The path to the changelog directory for the current development branch.
       changelog-path: src/changelog/.2.x.x