It is important that any fdroid-bot setup is limited to only push to GitLab projects under the fdroid-bot group. fdroid-bot setups should never have push access to any other git repositories. This is a hard requirement to keep the security profile manageable.
When fdroid-bot needs push access, it should be setup to use Deploy Key that is only used in that one repo. If fdroid-bot needs to interact with the GitLab API, like to create merge requests, then it should use a Personal Access Token that is assigned to a single project in GitLab. This limits the access and makes it easy to revoke specific tokens/keys as needed.
Special case: binary transparency logs for external projects
There are binary transparency logs for the Android SDK components and the gradle binaries. These are also automatic processes that push commits into dedicated git repositories where the automatic process is the only committer. These are not the same as fdroid-bot because they are entirely self-contained in their own GitLab projects. These scripts are setup using GitLab Deploy Keys so that they only can push commits to the same repository as they are running.