automate boringssl update PRs (#7257)
* automate boringssl update PRs
This switches to a GH app + dynamically created token from that app to
auto-submit PRs. We can avoid the app if we want to just use a PAT, but
I don't really love that solution either.
This also uses ls-remote to avoid cloning the entire boring repo, which
is much faster.
* pin directly to hash. apparently dependabot can handle this now?
* limit permissions of the workflow itself
* use refs/heads/master instead of HEAD
1 file changed