fix(ci): harden CI workflows before first release

- ci.yml: restrict push trigger to main branch (PRs cover feature branches)
- auto-approve.yml: switch to github.actor for re-approval on maintainer pushes
- dependabot.yml: add labels and group GitHub Actions bumps into single PRs

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/dependabot.yml

@@ -4,10 +4,18 @@ updates:
     directory: /
     schedule:
       interval: weekly
+    labels:
+      - dependencies
     open-pull-requests-limit: 10
 
   - package-ecosystem: github-actions
     directory: /
     schedule:
       interval: weekly
+    labels:
+      - dependencies
     open-pull-requests-limit: 5
+    groups:
+      actions:
+        patterns:
+          - "*"

.github/workflows/auto-approve.yml

@@ -20,9 +20,9 @@ jobs:
       contents: write
       pull-requests: write
     if: >
-      github.event.pull_request.user.login == 'SebTardif' ||
-      github.event.pull_request.user.login == 'dependabot[bot]' ||
-      github.event.pull_request.user.login == 'github-actions[bot]'
+      github.actor == 'SebTardif' ||
+      github.actor == 'dependabot[bot]' ||
+      github.actor == 'github-actions[bot]'
     steps:
       - name: Harden runner
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0

.github/workflows/ci.yml

@@ -2,6 +2,7 @@ name: ci
 
 on:
   push:
+    branches: [main]
   pull_request:
   merge_group:
   workflow_dispatch: