The "Automation: Auto-assign to Project" workflow fails on every Dependabot PR (#611, #612, #613): the add-to-project step uses secrets.PROJECT_TOKEN, but workflows triggered by Dependabot via pull_request only receive Dependabot secrets, so the token is empty and the step errors out.
Fix: trigger on pull_request_target instead of pull_request. The workflow only touches PR metadata (project board, assignee, milestone) and never checks out PR code, so running in the base-repo context is safe, and Dependabot PRs get board/assignee/milestone handling again.
The "Automation: Auto-assign to Project" workflow fails on every Dependabot PR (#611, #612, #613): the add-to-project step uses
secrets.PROJECT_TOKEN, but workflows triggered by Dependabot viapull_requestonly receive Dependabot secrets, so the token is empty and the step errors out.Fix: trigger on
pull_request_targetinstead ofpull_request. The workflow only touches PR metadata (project board, assignee, milestone) and never checks out PR code, so running in the base-repo context is safe, and Dependabot PRs get board/assignee/milestone handling again.