chore: enable dependabot cofig #982
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Stub workflow — A copy of this workflow must live on the default branch (3.0) so that the | |
| # pull_request_target event can trigger it with access to GITHUB_TOKEN (pull-requests: write). | |
| # It delegates all real work to the reusable template on 4.0. | |
| # | |
| # This two-stage design lets fork PRs trigger the check safely: the stub runs in the | |
| # context of the default branch (with write token), but the reusable workflow checks out | |
| # the PR's data files (TOML configs, specs) into a separate directory — never mixing | |
| # untrusted code with execution context. | |
| # | |
| # The stub must exist on the default branch because pull_request_target always runs | |
| # workflows from there. The reusable workflow on 4.0 has the actual scripts, | |
| # container setup, and rendering logic. | |
| name: Check Rendered Specs | |
| # pull_request_target gives us a GITHUB_TOKEN with pull-requests: write even for fork PRs. | |
| # The stub itself runs NO code from the PR — it only delegates to a trusted reusable | |
| # workflow pinned to 4.0, which checks out PR data (not code) into an | |
| # isolated subdirectory. | |
| on: # zizmor: ignore[dangerous-triggers] | |
| pull_request_target: | |
| branches: | |
| - "4.0" | |
| permissions: {} | |
| concurrency: | |
| group: render-check-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| check: | |
| # Prevent forks from running a stale/vulnerable copy of this stub with Actions enabled | |
| if: github.repository == 'microsoft/azurelinux' | |
| # Intentionally branch-pinned so the reusable workflow picks up updates automatically. | |
| uses: microsoft/azurelinux/.github/workflows/check-rendered-specs.yml@4.0 # zizmor: ignore[unpinned-uses] | |
| permissions: | |
| contents: read | |
| pull-requests: write # Post/update/delete drift comments on PRs | |
| with: | |
| pr-head-sha: ${{ github.event.pull_request.head.sha }} | |
| pr-head-repo: ${{ github.event.pull_request.head.repo.full_name }} | |
| pr-base-sha: ${{ github.event.pull_request.base.sha }} | |
| pr-number: ${{ github.event.pull_request.number }} | |
| repo: ${{ github.repository }} |