Skip to content

Commit fa30114

Browse files
committed
Fix auto-merge: use pull_request_target, least-privilege permissions
- Switch trigger to pull_request_target so GITHUB_TOKEN runs in base-branch context with full permissions (pull_request gives read-only token for Dependabot workflows since GitHub's 2021 security change) - Drop workflows:write (not needed; merge only requires contents+pull-requests) - Move permissions to job level (least privilege) - Use github.event.pull_request.user.login instead of github.actor
1 parent 91de234 commit fa30114

1 file changed

Lines changed: 6 additions & 5 deletions

File tree

.github/workflows/dependabot-auto-merge.yaml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,7 @@ name: Auto Merge Dependabot
1111
on:
1212
pull_request_target:
1313

14-
permissions:
15-
contents: write
16-
pull-requests: write
17-
workflows: write
14+
permissions: {}
1815

1916
jobs:
2017
auto-merge:
@@ -23,8 +20,12 @@ jobs:
2320

2421
timeout-minutes: 5
2522

23+
permissions:
24+
contents: write
25+
pull-requests: write
26+
2627
# Only run for Dependabot PRs - security: prevent running on PRs from forks or other actors
27-
if: github.actor == 'dependabot[bot]'
28+
if: github.event.pull_request.user.login == 'dependabot[bot]'
2829

2930
steps:
3031

0 commit comments

Comments
 (0)