Triggering subsequent github actions without a PAT

I wanted to point out a workaround and ask if you see any downsides to using it for triggering subsequent github actions from release please without having to use a personal access token.

The referenced documentation from github (https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow) mentions that workflow_dispatch can be used to trigger subsequent actions.

So I've set up the following workflow for release please:

name: release-please

on:
  push:
    branches:
      - main

permissions:
  actions: write
  contents: write
  pull-requests: write

jobs:
  release-please:
    runs-on: ubuntu-latest
    steps:
      - uses: googleapis/release-please-action@v4
        id: release-please
        with:
          release-type: python
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Trigger Workflow
        if: steps.release-please.outputs.release_created == 'true'
        uses: actions/github-script@v7
        with:
          script: |
            github.rest.actions.createWorkflowDispatch({
              owner: context.repo.owner,
              repo: context.repo.repo,
              workflow_id: 'release.yml',
              ref: '${{ steps.release-please.outputs.tag_name }}',
            })

This will trigger my release.yml workflow when a release is created, and works like a release.published event would have. It requires an additional permission, actions: write and my release.yml must trigger on workflow dispatch.

Do you see any issues with using this workaround? For our use case using a PAT seems strange as all releases would be attributed to a person and we'd need to stay on top rolling it periodically.

Are there any other methods you recommend for handling this? Do you recommend using the probot instead for use cases where PAT does not fit?

googleapis / release-please-action

Triggering subsequent github actions without a PAT #1000