I'd like for the libraryupgrader bot account to have +2 permissions to use when it only edits "composer.json", "package.json", and/or "phpcs.xml".
Depending on new sniffs added, the bot may autofix some code - in these cases I think it always needs to go through manual review by a human and should not be +2'd by the bot.
In the past the script that ran under my account would automatically +2 patches that only touched "composer.json". I would manually all other patches before +2ing them - I'm no longer doing that in the new setup.
The password to the bot's gerrit account is stored in my password manager and in a plaintext file in the Cloud VPS project.