Skip to content

fix(ci): restrict Dependabot auto-merge to security alerts#281

Merged
BunsDev merged 1 commit into
mainfrom
codex/fix-dependabot-auto-merge-vulnerability
Jul 1, 2026
Merged

fix(ci): restrict Dependabot auto-merge to security alerts#281
BunsDev merged 1 commit into
mainfrom
codex/fix-dependabot-auto-merge-vulnerability

Conversation

@BunsDev

@BunsDev BunsDev commented Jun 30, 2026

Copy link
Copy Markdown
Member

Motivation

  • Prevent automatic merging of routine Dependabot semver patch/minor updates to reduce supply-chain risk by limiting auto-merge to confirmed security alerts.
  • The previous update-type gate plus the default GITHUB_TOKEN allowed non-security patch/minor bumps to be auto-merged, which broadened the attack surface.

Description

  • Use dependabot/fetch-metadata@v3 with alert-lookup: true and github-token: ${{ secrets.DEPENDABOT_ALERTS_TOKEN }} to fetch Dependabot security metadata in /.github/workflows/dependabot-auto-merge.yml.
  • Change the merge condition to require steps.meta.outputs.ghsa-id != '' && steps.meta.outputs.alert-state == 'OPEN' and retain the gh pr merge --auto --squash "$PR_URL" call for eligible security PRs.
  • Add documentation to the workflow explaining the fail-closed behavior and the requirement for a dedicated alert-reading token so the workflow does not fall back to broad version-update auto-merge.

Testing

  • Parsed the updated workflow with Ruby YAML: ruby -e 'require "yaml"; data=YAML.load_file(".github/workflows/dependabot-auto-merge.yml"); puts data["name"]; puts data["jobs"]["auto-merge"]["steps"][0]["with"]["alert-lookup"]' which printed the expected values.
  • Ran git diff --check which reported no whitespace or diff errors.
  • Linting with actionlint was not executed because actionlint is not installed in the environment.

Codex Task

Copilot AI review requested due to automatic review settings June 30, 2026 19:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Tightens the Dependabot auto-merge workflow so that it only enables auto-merge for PRs that are backed by an open Dependabot security alert, reducing the chance of routine version bumps being merged automatically.

Changes:

  • Switch auto-merge gating from update-type (semver patch/minor) to security alert metadata (ghsa-id + alert-state).
  • Configure dependabot/fetch-metadata@v3 to perform alert lookup using a dedicated secret token (DEPENDABOT_ALERTS_TOKEN).
  • Update workflow documentation to explain the security rationale and fail-closed intent.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/dependabot-auto-merge.yml Outdated
@BunsDev BunsDev force-pushed the codex/fix-dependabot-auto-merge-vulnerability branch from ddc78c5 to df82506 Compare July 1, 2026 05:59
@BunsDev BunsDev merged commit 1b5046a into main Jul 1, 2026
15 checks passed
@BunsDev BunsDev deleted the codex/fix-dependabot-auto-merge-vulnerability branch July 1, 2026 06:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants