Skip to content

Commit df50bb4

Browse files
authored
ci(dependabot-changeset): use a deploy key instead of GITHUB_TOKEN [AR-59671] (drivenets#441)
1 parent c3fb628 commit df50bb4

1 file changed

Lines changed: 2 additions & 10 deletions

File tree

.github/workflows/dependabot-changeset.yml

Lines changed: 2 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: Dependabot Changeset
22

3-
on: pull_request_target # zizmor: ignore[dangerous-triggers] Need write base repo write access to commit the changeset. See warning below.
3+
on: pull_request
44

55
permissions: {}
66

@@ -11,27 +11,19 @@ concurrency:
1111
jobs:
1212
generate:
1313
name: Generate
14-
15-
# IMPORTANT:
16-
# NEVER REMOVE THIS CONDITION!
17-
# We're using `pull_request_target` in order to have write access to the base repository
18-
# so we'll be able to commit the changeset file.
19-
# Removing the user check could give privileged access to a potential attacker.
2014
if: |
2115
github.event.pull_request.user.login == 'dependabot[bot]' &&
2216
startsWith(github.head_ref, 'dependabot/npm_and_yarn/npm-production-')
2317
2418
runs-on: ubuntu-latest
2519

26-
permissions:
27-
contents: write
28-
2920
steps:
3021
- name: Checkout source code # zizmor: ignore[artipacked] Need persisted token to commit the changeset.
3122
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
3223
with:
3324
fetch-depth: 0
3425
ref: ${{ github.head_ref }}
26+
ssh-key: ${{ secrets.DEPLOY_KEY }}
3527

3628
- name: Install Dependencies
3729
uses: ./.github/actions/install

0 commit comments

Comments
 (0)