Add tokens to fix vercel-action deployments triggered by Dependabot

[mokaymokay]

We have Dependabot enabled to update dependencies, usually we can just merge these minor updates as they come up, but it seems like the previews are failing: https://github.com/sanctuarycomputer/sanctu-dot-com/actions/runs/4085007316/jobs/7042405703

We ran into the same issue with Hinge lately, basically it's due to Dependabot not having access to action secrets. This can be fixed by adding those same secrets to Dependabot secrets (option #2 listed in this comment)

You wouldn't need to see the Vercel tokens in the action secrets panel, so you'll need to generate new ones in Vercel here

This issue can be closed when:

• Re-triggering those Dependabot deployments to successfully build preview
• Github Actions CI still works fine after updating the tokens

[nahbee10]

@mokaymokay This is solved by adding necessary tokens to dependabot and necessary github-token permissions to deploy workflow to solve this issue caused by github-token's read-only default permission(related doc)

All dependabot PRs passed the checks! Should I merge them to main?

[mokaymokay]

hmm I don't think the issue is solved by adding the permissions to the deploy.yml. After we add secrets to Dependabot secrets, it should already have access.

The error says:

find comment
previous comment not found

So I think it's because there's no commit message? Bryan fixed a similar issue yesterday by adding a default commit message for Dependabot. https://github.com/sanctuarycomputer/hinge/commit/8da019f80e03a7da64df1b6776ebde4c04a193d9

I think the errors may be gone because we added the commit "Update deploy.yml"

[nahbee10]

@mokaymokay thanks for the feedback on the issue!

❇️ Short conclusion: added fixed version of dependabot config(dependabot.yml), removed permissions:, but would like to wait until next dependabot action to verify if this solves the problem!

❇️ Long one: I think adding default commit message cannot solve the issue since,

• the field commit-message is not for adding default message, it's about adding prefix and choosing texts to include(Github doc on this).
  -> I tried the same Dependabot config as hinge one on sanctu-compu repo and it's not working since the syntax is broken. 'npm' should come with prefix:.

-> Anyway I added the fixed Dependabot [config](https://github.com/sanctuarycomputer/sanctu-dot-com/blob/main/.github/dependabot.yml) to see if this helps solving the issue next time!

• successful actions also come with the same error message - find comment / previous comment not found. So I don't think this is the cause of the issue but just about the status on not having a prev comment?

• also, adding dependabot secrets(VERCEL_TOKEN / _ORG_ID / PROJECT_ID) are to give access to Vercel project, not giving write access to PR. I think this issue Error: Resource not accessible by integration happens because the dependabot wanted to write something to the PR (probably this github-action comment?) but didn't have access to do so.
  -> this was the reason I added permissions: to the deploy action, but I deleted it now and re-run the jobs on the dependabot actions, looks like it works in this way! But want to wait until the next dependabot action happens in a couple weeks to verify this works, since my prev trials / commit history & comments may affect the result!

[mokaymokay]

@nahbee10 Thanks for explaining about the Error: Resource not accessible by integration, I'm OK with us adding permissions, but can we just add the ones that Dependabot absolutely needs?

According to the docs, contents is for updating a file, which makes sense since it's trying to update version in package.json.

Can we double check the docs and only add the permissions that we need? TY!

[mokaymokay]

Good to merge the PRs btw, looks like none of them are major version updates~