Skip to content

Commit b38a404

Browse files
freekmurzeclaude
andcommitted
Harden Dependabot auto-merge actor check
github.actor reflects the actor that triggered the run, not the PR author, so it can read 'dependabot[bot]' on a PR whose code is not from Dependabot. Gate on the immutable PR author instead, and add a repository guard so forks that copy this workflow do not auto-merge. Reported by Volker Dusch (@edorian) and the PHP Foundation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 3300cc6 commit b38a404

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

.github/workflows/dependabot-auto-merge.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ jobs:
99
dependabot:
1010
runs-on: ubuntu-latest
1111
timeout-minutes: 5
12-
if: ${{ github.actor == 'dependabot[bot]' }}
12+
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'spatie/phpunit-watcher' }}
1313
steps:
1414

1515
- name: Dependabot metadata

0 commit comments

Comments
 (0)