From 6494dc61d3e663a9f5166a099d9736ceefc5a3aa Mon Sep 17 00:00:00 2001
From: Sam Bull <git@sambull.org>
Date: Wed, 28 May 2025 15:08:30 +0100
Subject: [PATCH 1/2] Fix PAT instructions with Dependabot

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 4e9b319..ff60268 100644
--- a/README.md
+++ b/README.md
@@ -461,10 +461,12 @@ If you create a fine-grained personal access token, apply the `Contents`-permiss
 ```yaml
 - uses: actions/checkout@v4
   with:
-    token: ${{ secrets.PAT }}
+    token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
 ```
 You can learn more about Personal Access Token in the [GitHub documentation](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token).
 
+Having a fallback to GITHUB_TOKEN helps things like Dependabot to continue working, as they may not be granted access to the PAT.
+
 > [!TIP] 
 > If you're working in an organisation, and you don't want to create the PAT from your personal account, we recommend using a bot-account for such tokens.
 

From b001e5f0ff05d7297c0101f4b44e861799e417dd Mon Sep 17 00:00:00 2001
From: Stefan Zweifel <stefanzweifel@users.noreply.github.com>
Date: Mon, 2 Jun 2025 21:37:45 +0200
Subject: [PATCH 2/2] Apply suggestions from code review

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ff60268..512f25c 100644
--- a/README.md
+++ b/README.md
@@ -461,11 +461,11 @@ If you create a fine-grained personal access token, apply the `Contents`-permiss
 ```yaml
 - uses: actions/checkout@v4
   with:
+    # We pass the "PAT" secret to the checkout action; if no PAT secret is available to the workflow runner (eg. Dependabot) we fall back to the default "GITHUB_TOKEN".
     token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
 ```
 You can learn more about Personal Access Token in the [GitHub documentation](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token).
 
-Having a fallback to GITHUB_TOKEN helps things like Dependabot to continue working, as they may not be granted access to the PAT.
 
 > [!TIP] 
 > If you're working in an organisation, and you don't want to create the PAT from your personal account, we recommend using a bot-account for such tokens.