Skip to content

Commit abff301

Browse files
freekmurzeclaude
andcommitted
Harden Dependabot auto-merge actor check
github.actor reflects the actor that triggered the run, not the PR author, so it can read 'dependabot[bot]' on a PR whose code is not from Dependabot. Gate on the immutable PR author instead, and add a repository guard so forks that copy this workflow do not auto-merge. Reported by Volker Dusch (@edorian) and the PHP Foundation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 5ad6a78 commit abff301

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

.github/workflows/dependabot-auto-merge.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ permissions:
88
jobs:
99
dependabot:
1010
runs-on: ubuntu-latest
11-
if: ${{ github.actor == 'dependabot[bot]' }}
11+
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'spatie/dropbox-api' }}
1212
steps:
1313

1414
- name: Dependabot metadata

0 commit comments

Comments
 (0)