Try pull_request_target to mitigate secrets issue

References: - ahmadnassri/action-dependabot-auto-merge#60 - https://securitylab.github.com/research/github-actions-preventing-pwn-requests For public repos it should work, people complain only about private repos, though one wonders if the permissions of PATs are correct.
asaaki · Mar 11, 2021 · e4d1327 · e4d1327
1 parent 12aa461
commit e4d1327
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -2,7 +2,11 @@
 name: Dependabot Auto Merge
 
 on:
-  pull_request:
+  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests
+  # could and should work, at least for public repos;
+  # tracking issue for this action's issue:
+  # https://github.com/ahmadnassri/action-dependabot-auto-merge/issues/60
+  pull_request_target:
 
 jobs:
   auto-merge:
@@ -13,5 +17,6 @@ jobs:
         with:
           target: patch
           # Note: This needs to be a PAT with (public) repo rights,
-          #       user needs to have access to this repo
+          #       PAT-owning user needs to have write access to this repo
+          #       (dependabot needs to recognize the comment as coming from an allowed reviewer)
           github-token: ${{ secrets.BOT_TOKEN }}