Thanks to visit codestin.com
Credit goes to github.com

Skip to content

ci(ci): check dependabot prs originate from repo #6330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Eomm merged 1 commit into from
Sep 24, 2025
Merged

ci(ci): check dependabot prs originate from repo #6330

Eomm merged 1 commit into from
Sep 24, 2025

Conversation

@Fdawgs
Copy link
Member

@Fdawgs Fdawgs commented Sep 23, 2025

Added an extra conditional to the automerge job to check Dependabot PRs are coming from the same repo and not a fork.
Never seen this happen but Dependabot/GitHub developers aren't infallible and bugs can occur, so is an extra security layer.

Checklist

@github-actions github-actions bot added the github actions Github actions related label Sep 23, 2025
Fdawgs
Fdawgs commented Sep 23, 2025
View reviewed changes
@Fdawgs Fdawgs changed the title ci(ci): check dependabot prs come from repo ci(ci): check dependabot prs originate from repo Sep 23, 2025
This was referenced Sep 23, 2025
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@Uzlopak
Copy link
Contributor

Uzlopak commented Sep 23, 2025

I think this is already covered in the code of the action. I think i had also claimed a cve for this.

@Fdawgs
Copy link
Member Author

Fdawgs commented Sep 23, 2025

I think this is already covered in the code of the action. I think i had also claimed a cve for this.

Not that I can see? Your CVE was around imitating Dependabot by changing the associated username and email for a malicious commit.

Uzlopak
Uzlopak approved these changes Sep 23, 2025
View reviewed changes
Copy link
Contributor

@Uzlopak Uzlopak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Uzlopak
Copy link
Contributor

Uzlopak commented Sep 23, 2025

Allrighty ;)

@Eomm Eomm merged commit 79cbc96 into main Sep 24, 2025
34 checks passed
@Eomm Eomm deleted the ci/ci-automerge branch September 24, 2025 08:19
jean-michelet pushed a commit to jean-michelet/fastify that referenced this pull request Sep 24, 2025
@Fdawgs @jean-michelet
ci(ci): check dependabot prs come from repo (fastify#6330)
ff8ed05
This was referenced Sep 24, 2025
Closed
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@Fdawgs Fdawgs mentioned this pull request Sep 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Uzlopak Uzlopak Uzlopak approved these changes

@Eomm Eomm Eomm approved these changes

Assignees

No one assigned

Labels

github actions Github actions related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Fdawgs @Uzlopak @Eomm