From 155a7a7d81608dca536d187d13406179bbaffe7c Mon Sep 17 00:00:00 2001
From: "James M. Greene" <JamesMGreene@github.com>
Date: Wed, 22 Feb 2023 11:47:31 -0600
Subject: [PATCH] Revise Dependabot rebuild workflow

---
 .github/workflows/rebuild-dependabot-prs.yml | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/rebuild-dependabot-prs.yml b/.github/workflows/rebuild-dependabot-prs.yml
index 87846c7..2da749e 100644
--- a/.github/workflows/rebuild-dependabot-prs.yml
+++ b/.github/workflows/rebuild-dependabot-prs.yml
@@ -5,17 +5,20 @@ on:
     branches:
       - 'dependabot/npm**'
 
-permissions:
-  contents: write
-
-# This allows a subsequently queued workflow run to interrupt previous runs
-concurrency:
-  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
-  cancel-in-progress: true
+# No permissions needed for `GITHUB_TOKEN` since we're using a PAT instead
+permissions: {}
 
 jobs:
   rebuild-dist:
     if: ${{ github.event.sender.login == 'dependabot[bot]' }}
+
+    # This allows a subsequently queued workflow run to interrupt previous runs.
+    # It is evaluated AFTER the job's `if` condition, so a push triggered by this
+    # workflow's PAT will NOT interrupt a run triggered by a push from Dependabot.
+    concurrency:
+      group: '${{ github.workflow }} / ${{ github.job }} @ ${{ github.ref }}'
+      cancel-in-progress: true
+
     runs-on: ubuntu-latest
     steps:
       - name: Checkout