Skip to content

fix: auto-merge workflow permissions and PR detection#4

Merged
dacrab merged 1 commit intomainfrom
fix/auto-merge-workflow
Feb 10, 2026
Merged

fix: auto-merge workflow permissions and PR detection#4
dacrab merged 1 commit intomainfrom
fix/auto-merge-workflow

Conversation

@dacrab
Copy link
Owner

@dacrab dacrab commented Feb 10, 2026
edited by coderabbitai bot
Loading

Fixes auto-merge workflow failures:

  • Removed check_suite trigger (doesn't have PR context)
  • Changed to pull_request trigger only
  • Added required permissions: contents: write and pull-requests: write
  • Fixed PR reference to use PR number instead of URL
  • Use GH_TOKEN and GH_REPO env vars for gh CLI

This will allow dependabot PRs to auto-merge when CI passes.

Summary by CodeRabbit

  • Chores
    • Updated internal CI/CD automation configuration to improve workflow efficiency and security practices.

Note: This release contains no user-facing changes.

@vercel
Copy link

vercel bot commented Feb 10, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
solid-studio Ready Ready Preview, Comment Feb 10, 2026 4:03pm

@coderabbitai
Copy link

coderabbitai bot commented Feb 10, 2026
edited
Loading

📝 Walkthrough

Walkthrough

GitHub Actions workflow updated to modify Dependabot PR auto-merge trigger from pull_request_target to pull_request with explicit event types, added repository permissions, and refactored environment variable handling for improved security and token management.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow Configuration
.github/workflows/auto-merge-dependabot.yml		 Updated workflow trigger mechanism from pull_request_target to pull_request with specific event types; added explicit contents: write and pull-requests: write permissions; refactored PR merge command to use github.event.pull_request.number instead of environment variables; replaced PR_URL and GITHUB_TOKEN with GH_TOKEN and GH_REPO for improved token handling.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A workflow so sleek, no secrets exposed,
Dependencies merged with precision composed,
Token and repo, now safely contained—
Dependabot dreams, from afar maintained! ✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix: auto-merge workflow permissions and PR detection' accurately summarizes the main changes: fixing GitHub Actions workflow permissions and improving PR detection logic.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/auto-merge-workflow

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@dacrab dacrab merged commit 7ad50dc into main Feb 10, 2026
5 of 7 checks passed
coderabbitai[bot]
coderabbitai bot reviewed Feb 10, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In @.github/workflows/auto-merge-dependabot.yml:
- Around line 3-9: The current workflow uses a pull_request trigger which causes
Dependabot PRs to run with a read-only GITHUB_TOKEN and will make commands like
`gh pr merge` fail; update the workflow trigger and token usage by either
switching the trigger to a follow-up `workflow_run` that runs after the PR is
created (so normal write permissions and secrets are available) or keep a
trigger but replace use of GITHUB_TOKEN for merge operations with a dedicated
token: create a Dependabot-scoped secret (PAT or GitHub App token as a
Dependabot secret) and use that secret for write operations (e.g., the `gh pr
merge` step) instead of GITHUB_TOKEN; ensure you reference the top-level `on:`
block and any steps invoking `gh pr merge` in the workflow when applying the
change.

.github/workflows/auto-merge-dependabot.yml
Comment on lines 3 to +9
on:
pull_request_target:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
check_suite:
types: [completed]

permissions:
contents: write
pull-requests: write
Copy link

@coderabbitai coderabbitai bot Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

GitHub Actions GITHUB_TOKEN read-only dependabot pull_request trigger

💡 Result:

When a workflow is triggered by a Dependabot PR (i.e., github.actor == 'dependabot[bot]') via events like pull_request, GitHub treats it like a forked-PR run for security:

  • GITHUB_TOKEN is read-only by default
  • Repository Actions secrets are not available (only Dependabot secrets are)
    [1]

Even if you switch to pull_request_target, GitHub still forces read-only token + no secrets when the PR’s base ref was created by Dependabot (a hard restriction) [1][2].

What you can do

  1. Avoid writes in Dependabot-triggered runs
    Run only read-only CI (build/test/lint) on pull_request and gate any “write” steps.

  2. Split into two workflows (recommended)

    • Workflow A: runs on pull_request (Dependabot-safe), does checks only.
    • Workflow B: runs on workflow_run (after A succeeds) and can run with normal permissions because it’s not executed in the untrusted PR context. (This is the common pattern implied by GitHub’s security model in the changelog.) [3]

  3. Use a separate credential if you must write
    Use a PAT or GitHub App token stored as a Dependabot secret (not an Actions secret), and use that token for write operations. Dependabot runs can access Dependabot secrets [1].

  4. If you just need PR metadata/labels/auto-approve
    GitHub’s “Automating Dependabot with GitHub Actions” examples show using permissions: (e.g. pull-requests: write) on pull_request, but be aware that the Dependabot restrictions above still apply to secrets and token behavior in Dependabot-triggered contexts. [4][1]

Key point: you generally can’t “fix” Dependabot’s read-only GITHUB_TOKEN on pull_request—it’s an intentional platform restriction. Use a split workflow (workflow_run) or a Dependabot secret token when writes are required. [3][1]

Sources

[1] GitHub Docs — “Dependabot on GitHub Actions” (Restrictions when Dependabot triggers events) (docs.github.com)
[2] GitHub Changelog — pull_request_target base-ref-by-Dependabot always read-only/no secrets (github.blog)
[3] GitHub Changelog — Dependabot PR workflows treated like forks; read-only token/no secrets (github.blog)
[4] GitHub Docs — “Automating Dependabot with GitHub Actions” examples using permissions: (docs.github.com)

Citations:

🏁 Script executed:

find .github/workflows -name "auto-merge-dependabot.yml" -type f

Repository: dacrab/solid-studio

Length of output: 106

🏁 Script executed:

cat .github/workflows/auto-merge-dependabot.yml

Repository: dacrab/solid-studio

Length of output: 592

This workflow will fail—Dependabot PRs on pull_request trigger receive a read-only GITHUB_TOKEN, which cannot be overridden by the permissions: block.

When GitHub Actions runs a workflow triggered by a Dependabot PR (identified by github.actor == 'dependabot[bot]'), the GITHUB_TOKEN is automatically downgraded to read-only for security, regardless of the permissions: configuration. The gh pr merge command will fail with a 403 permission error.

Switching to pull_request_target alone won't help—GitHub still restricts Dependabot-triggered workflows to read-only access when the base ref was created by Dependabot.

The recommended solutions are:

  1. Use workflow_run trigger instead: runs after the pull request is fully created, with normal write permissions and access to secrets.
  2. Use a separate token: store a PAT or GitHub App token as a Dependabot secret (not an Actions secret) and use it for write operations.
🤖 Prompt for AI Agents 
In @.github/workflows/auto-merge-dependabot.yml around lines 3 - 9, The current
workflow uses a pull_request trigger which causes Dependabot PRs to run with a
read-only GITHUB_TOKEN and will make commands like `gh pr merge` fail; update
the workflow trigger and token usage by either switching the trigger to a
follow-up `workflow_run` that runs after the PR is created (so normal write
permissions and secrets are available) or keep a trigger but replace use of
GITHUB_TOKEN for merge operations with a dedicated token: create a
Dependabot-scoped secret (PAT or GitHub App token as a Dependabot secret) and
use that secret for write operations (e.g., the `gh pr merge` step) instead of
GITHUB_TOKEN; ensure you reference the top-level `on:` block and any steps
invoking `gh pr merge` in the workflow when applying the change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dacrab