[Task] Consider using GITHUB_TOKEN in submodule workflow

[ebaron]

If we can use GITHUB_TOKEN with write access to update Cryostat's submodule we should do that instead of using a Personal Access Token. This would also be useful for the similar workflow in the Helm Chart.

cryostat-web/.github/workflows/submodule.yaml

Line 23 in ee99ad1

token: "${{ secrets.SUBMODULE_TOKEN }}"

[ebaron]

This may not be possible since in this case we're writing to a different repo within the org, but it's worth exploring to see if it's doable.

[tthvo]

I guess a solution can be:

• Add a workflow on target repository that will automatically merge when PR is labeled with auto-merge (maybe also need automatic approvals).
• Update this workflow to open the PR (instead of direct push) to update submodule with label auto-merge.

This way, merge action will use the target repository token.

[mwangggg]

I don't think this is possible right now without a PAT due to the limitations of the GITHUB_TOKEN permissions. Since we want to keep it automated, I'll just leave it as is :)