Change dependabot automerge pull_request -> pull_request_target

The maximum permissions that can be granted from a forked repo are read-only which will prevent PR approvals / automerge from a forked repo. Using pull_request instead of pull_request_target should still work since dependabot opens the PR from a branch within the repo. Using pull_request is better security practice.
a-feld · Dec 15, 2024 · 06a0723 · 06a0723
1 parent d8a639c
commit 06a0723
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
@@ -13,10 +13,10 @@
 # limitations under the License.
 
 name: auto-merge
-on: pull_request_target
+on: pull_request
 jobs:
   dependabot:
-    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'a-feld/pywreck'
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write