ci(dependabot-changeset): use a deploy key instead of GITHUB_TOKEN [AR-59671]
#1307
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependabot Changeset | |
| on: pull_request_target # zizmor: ignore[dangerous-triggers] Need write base repo write access to commit the changeset. See warning below. | |
| permissions: {} | |
| concurrency: | |
| group: '${{ github.workflow }} @ ${{ github.event.pull_request.number }}' | |
| cancel-in-progress: true | |
| jobs: | |
| generate: | |
| name: Generate | |
| # IMPORTANT: | |
| # NEVER REMOVE THIS CONDITION! | |
| # We're using `pull_request_target` in order to have write access to the base repository | |
| # so we'll be able to commit the changeset file. | |
| # Removing the user check could give privileged access to a potential attacker. | |
| if: | | |
| github.event.pull_request.user.login == 'dependabot[bot]' && | |
| startsWith(github.head_ref, 'dependabot/npm_and_yarn/npm-production-') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout source code # zizmor: ignore[artipacked] Need persisted token to commit the changeset. | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.head_ref }} | |
| ssh-key: ${{ secrets.DEPLOY_KEY }} | |
| - name: Install Dependencies | |
| uses: ./.github/actions/install | |
| - name: Configure git user | |
| run: | | |
| git config user.name 'github-actions[bot]' | |
| git config user.email '41898282+github-actions[bot]@users.noreply.github.com' | |
| - name: Generate changeset | |
| run: node .github/scripts/generate-dependabot-changeset.ts |