Fix permissions with changie workflow

Author: rocktavious

.github/workflows/changie-gen.yaml

@@ -1,56 +1,62 @@
 name: Changie Gen
 
 on:
-  workflow_run:
-    workflows: [Dependabot Labels]
-    types:
-      - completed
+  pull_request:
+    # catch when the PR is opened with the label or when the label is added
+    types: [labeled]
+
+permissions:
+  contents: write
+  pull-requests: read
 
 jobs:
   generate-changelog:
+    if: contains(github.event.pull_request.labels.*.name, 'dependencies')
     env:
       MAIN_BRANCH: ${{ github.event.workflow_run.pull_requests[0].base.ref }}
       PR_BRANCH: ${{ github.event.workflow_run.pull_requests[0].head.ref }}
     runs-on: ubuntu-latest
     # NOTE: "github.event.workflow_run.conclusion" check needed within "steps"
     steps:
-    - name: Checkout branch that Dependabot labeled
-      if: github.event.workflow_run.conclusion == 'success'
-      uses: actions/checkout@v5
-      with:
-        ref: ${{ env.PR_BRANCH }}
-        token: ${{ secrets.ORG_GITHUB_TOKEN }}
+      - name: Checkout branch that Dependabot labeled
+        if: github.event.workflow_run.conclusion == 'success'
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ env.PR_BRANCH }}
+          token: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Check if changelog file exists already
-      if: github.event.workflow_run.conclusion == 'success'
-      shell: bash
-      id: changelog_check
-      run: |
-        git fetch origin ${{ env.MAIN_BRANCH }}
-        if [[ -n $(git diff --name-only main -- .changes/unreleased/*.yaml) ]]; then
-          echo "exists=true" >> $GITHUB_OUTPUT
-          echo "Changelog already exists for this PR, skip creating a new one"
-        else
-          echo "exists=false" >> $GITHUB_OUTPUT
-          echo "No changelog exists for this PR, creating a new one"
-        fi
+      - name: Check if changelog file exists already
+        if: github.event.workflow_run.conclusion == 'success'
+        shell: bash
+        id: changelog_check
+        run: |
+          git fetch origin ${{ env.MAIN_BRANCH }}
+          if [[ -n $(git diff --name-only main -- .changes/unreleased/*.yaml) ]]; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+            echo "Changelog already exists for this PR, skip creating a new one"
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+            echo "No changelog exists for this PR, creating a new one"
+          fi
 
-    - name: Create changie log
-      if: >-
-        github.event.workflow_run.conclusion == 'success' &&
-        steps.changelog_check.outputs.exists == 'false'
-      uses: miniscruff/changie-action@v2
-      with:
-        version: latest
-        args: new --kind Dependency --body "${{ github.event.workflow_run.display_title }}"
+      - name: Create changie log
+        if: >-
+          github.event.workflow_run.conclusion == 'success' &&
+          steps.changelog_check.outputs.exists == 'false'
+        uses: miniscruff/changie-action@v2
+        with:
+          version: latest
+          args: new --kind Dependency --body "${{ github.event.workflow_run.display_title }}"
 
-    - name: Commit & Push changes
-      if: github.event.workflow_run.conclusion == 'success' && steps.changelog_check.outputs.exists == 'false'
-      shell: bash
-      run: |
-        git config user.name "OpsLevel Bots"
-        git config user.email "bots@opslevel.com"
-        git pull
-        git add .
-        git commit -m "Add automated changelog yaml from template"
-        git push
+      - name: Commit & Push changes
+        if: >-
+          github.event.workflow_run.conclusion == 'success' &&
+          steps.changelog_check.outputs.exists == 'false'
+        shell: bash
+        run: |
+          git config user.name "OpsLevel Bots"
+          git config user.email "bots@opslevel.com"
+          git pull
+          git add .
+          git commit -m "Add automated changelog yaml from template"
+          git push