Fix 403 error: Configure github-token for Dependabot alerts access

[Copilot]

The Dependabot Project Manager workflow was failing with 403 Forbidden when querying Dependabot alerts through the GitHub MCP server. The default GITHUB_TOKEN lacks security_events:read permission in the github org.

Changes

• Configure GitHub MCP server to use GH_AW_PROJECT_GITHUB_TOKEN which has both Projects and security_events permissions
• Add github-token field to GitHub tool configuration in workflow frontmatter

tools:
  github:
    toolsets:
      - default
      - dependabot
      - projects
    github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}

This routes all GitHub API calls through the elevated token, enabling access to /repos/{owner}/{repo}/dependabot/alerts endpoint.

Original prompt

Debug and edit to add dependabot. See 403 in run: https://github.com/github/gh-aw/actions/runs/21764337169

Custom agent used: agentic-workflows
GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.