File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 11name : Dependabot Changeset
22
3- on : pull_request_target # zizmor: ignore[dangerous-triggers] Need write base repo write access to commit the changeset. See warning below.
3+ on : pull_request
44
55permissions : {}
66
@@ -11,27 +11,19 @@ concurrency:
1111jobs :
1212 generate :
1313 name : Generate
14-
15- # IMPORTANT:
16- # NEVER REMOVE THIS CONDITION!
17- # We're using `pull_request_target` in order to have write access to the base repository
18- # so we'll be able to commit the changeset file.
19- # Removing the user check could give privileged access to a potential attacker.
2014 if : |
2115 github.event.pull_request.user.login == 'dependabot[bot]' &&
2216 startsWith(github.head_ref, 'dependabot/npm_and_yarn/npm-production-')
2317
2418 runs-on : ubuntu-latest
2519
26- permissions :
27- contents : write
28-
2920 steps :
3021 - name : Checkout source code # zizmor: ignore[artipacked] Need persisted token to commit the changeset.
3122 uses : actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
3223 with :
3324 fetch-depth : 0
3425 ref : ${{ github.head_ref }}
26+ ssh-key : ${{ secrets.DEPLOY_KEY }}
3527
3628 - name : Install Dependencies
3729 uses : ./.github/actions/install
You can’t perform that action at this time.
0 commit comments