Remove workflow permissions and require secrets.PAT for Dependabot workflow tokens

Author: austenstone

.github/workflows/copilot-dependabot-update.yml

@@ -4,12 +4,6 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
-  repository-projects: write
-
 jobs:
   dependabot-analysis:
     runs-on: ubuntu-latest
@@ -18,21 +12,20 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.PAT || github.token }}
           fetch-depth: 0
 
       - name: Fetch Dependabot metadata
         id: metadata
         uses: dependabot/fetch-metadata@v2
         with:
-          github-token: ${{ secrets.PAT || github.token }}
+          github-token: ${{ secrets.PAT }}
 
       - name: Generate dependency analysis with Copilot
         uses: austenstone/copilot-cli-actions/.github/actions/copilot@main
         env:
           CONTEXT7_API_KEY: ${{ secrets.CONTEXT7_API_KEY }}
         with:
-          github-token: ${{ secrets.PAT || github.token }}
+          github-token: ${{ secrets.PAT }}
           mcp-config: |
             {
               "mcpServers": {