fix: ASH PR comment artifacts and dependabot auto-merge workflow

- Consolidate ASH scan artifacts into single directory for reliable download paths
- Add debug logging to comment workflow for artifact verification
- Switch dependabot workflow to pull_request_target trigger
- Use github.actor for dependabot bot detection

Author: kaleko

.github/workflows/ash-security-comment.yml

@@ -23,6 +23,11 @@ jobs:
           run-id: ${{ github.event.workflow_run.id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Debug artifact contents
+        run: |
+          echo "Artifact contents:"
+          find /tmp/ash-results -type f | head -20
+
       - name: Get PR information
         id: pr-info
         run: |
@@ -49,6 +54,8 @@ jobs:
           script: |
             const fs = require('fs');
             const commentPath = '/tmp/ash-results/pr_comment.md';
+            console.log('Looking for comment file at:', commentPath);
+            console.log('File exists:', fs.existsSync(commentPath));
 
             if (!fs.existsSync(commentPath)) {
               console.log('No comment file found in artifacts');

.github/workflows/ash-security-scan.yml

@@ -202,25 +202,24 @@ jobs:
             echo "has_findings=false" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Save PR metadata
+      - name: Prepare artifacts
         if: steps.changed-files.outputs.any_changed == 'true'
         env:
           PR_NUMBER: ${{ github.event.pull_request.number }}
           PR_SHA: ${{ github.event.pull_request.head.sha }}
         run: |
-          echo "${PR_NUMBER}" > /tmp/pr_number.txt
-          echo "${PR_SHA}" > /tmp/pr_sha.txt
+          mkdir -p /tmp/ash-artifacts
+          echo "${PR_NUMBER}" > /tmp/ash-artifacts/pr_number.txt
+          echo "${PR_SHA}" > /tmp/ash-artifacts/pr_sha.txt
+          cp /tmp/pr_comment.md /tmp/ash-artifacts/pr_comment.md
+          cp -r /tmp/ash-scan/.ash/ /tmp/ash-artifacts/.ash/ 2>/dev/null || true
 
       - name: Upload ASH results and PR metadata
         if: steps.changed-files.outputs.any_changed == 'true' && always()
         uses: actions/upload-artifact@v4
         with:
           name: ash-security-results
-          path: |
-            /tmp/ash-scan/.ash/
-            /tmp/pr_comment.md
-            /tmp/pr_number.txt
-            /tmp/pr_sha.txt
+          path: /tmp/ash-artifacts/
           retention-days: 30
 
       - name: Security scan summary

.github/workflows/dependabot.yml

@@ -1,8 +1,8 @@
 name: Dependabot auto-merge
 
 on:
-  pull_request:
-    types: [opened, synchronize]
+  pull_request_target:
+    types: [opened, synchronize, reopened]
 
 permissions:
   pull-requests: write
@@ -11,7 +11,7 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    if: github.actor == 'dependabot[bot]'
     steps:
       - name: Dependabot metadata
         id: metadata