Commit b38a404
Harden Dependabot auto-merge actor check
github.actor reflects the actor that triggered the run, not the PR
author, so it can read 'dependabot[bot]' on a PR whose code is not
from Dependabot. Gate on the immutable PR author instead, and add a
repository guard so forks that copy this workflow do not auto-merge.
Reported by Volker Dusch (@edorian) and the PHP Foundation.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 3300cc6 commit b38a404
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
12 | | - | |
| 12 | + | |
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| |||
0 commit comments