Skip to content

chore: [SECURITY-1357] refine condition for dependabot approval in workflow #2037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
forged-request merged 3 commits into from
Feb 11, 2026
Merged

chore: [SECURITY-1357] refine condition for dependabot approval in workflow #2037

forged-request merged 3 commits into from
Feb 11, 2026

Conversation

@forged-request
Copy link
Contributor

@forged-request forged-request commented Jan 6, 2026

This change improves the security of the dependabot auto-approval workflow by:

  • Checking the PR user login instead of github.actor
  • Verifying the PR is from the same repository (not a fork)

This prevents potential security issues where forked PRs could be auto-approved.

@github-actions github-actions bot added the tools label Jan 6, 2026
@forged-request forged-request enabled auto-merge (squash) January 6, 2026 09:31
@forged-request
chore: [SECURITY-1357] refine condition for dependabot approval in wo…
3b70dfd 
…rkflow

This change improves the security of the dependabot auto-approval workflow by:
- Checking the PR user login instead of github.actor
- Verifying the PR is from the same repository (not a fork)

This prevents potential security issues where forked PRs could be auto-approved.
@forged-request forged-request force-pushed the chore/security-1357-dependabot-approval-fix branch from 5c94004 to 3b70dfd Compare January 6, 2026 09:35
@forged-request forged-request requested a review from Copilot January 9, 2026 15:54
Copilot AI reviewed Jan 9, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the security of the dependabot auto-approval workflow by refining the conditions under which PRs are automatically approved. The changes prevent potential security issues where forked PRs could be auto-approved by verifying both the PR author and repository origin.

Changes:

  • Modified the workflow condition to check github.event.pull_request.user.login instead of github.actor
  • Added verification that the PR originates from the same repository (not a fork)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/auto-merge.yml
id-token: write
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
Copy link

Copilot AI Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The condition github.event.pull_request.head.repo.full_name can be null for forked PRs in certain GitHub configurations, which could cause the workflow to fail or behave unexpectedly. Consider adding a null check or using a safer comparison pattern.

Suggested change
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.head.repo != null && github.repository == github.event.pull_request.head.repo.full_name

Copilot uses AI. Check for mistakes.
@forged-request forged-request requested a review from a team January 9, 2026 15:55
@vercel
Copy link

vercel bot commented Feb 11, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
field-editors Ready Ready Preview Feb 11, 2026 3:07pm

Request Review

@forged-request forged-request merged commit 28fbdec into master Feb 11, 2026
17 checks passed
@forged-request forged-request deleted the chore/security-1357-dependabot-approval-fix branch February 11, 2026 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@2wce 2wce 2wce approved these changes

Assignees

No one assigned

Labels

tools

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@forged-request @2wce