-
Notifications
You must be signed in to change notification settings - Fork 133
Fix permissions for the dependabot contraintlayout check #14570
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: trunk
Are you sure you want to change the base?
Conversation
📲 You can test the changes from this Pull Request in WooCommerce-Wear Android by scanning the QR code below to install the corresponding build.
|
📲 You can test the changes from this Pull Request in WooCommerce Android by scanning the QR code below to install the corresponding build.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR fixes permissions for a GitHub Actions workflow that posts warning comments on Dependabot constraint-layout updates. The workflow was failing due to insufficient permissions when attempting to write comments on pull requests.
- Changed trigger from
pull_request
topull_request_target
to enable write access - Added explicit
pull-requests: write
permission to allow comment posting
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
||
on: | ||
pull_request: | ||
pull_request_target: |
Copilot
AI
Sep 4, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using pull_request_target
with Dependabot creates a security risk as it runs with write permissions in the context of the target repository. Consider adding explicit checks to verify the PR author is dependabot[bot]
before any sensitive operations, or explore using pull_request
with a GitHub token that has appropriate permissions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this is indeed it @malinajirka and we could use something like @wzieba did here: #14556
- Adding the permission at the top level instead:
permissions:
pull-requests: write
- Using the
GH_TOKEN
environmental variable:
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- And running the step with
- name: Xyz
...
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
Then keep pull_request
as is for now, then test it, wdyt? 🤔
This PR is an attempt at fixing the github action that drops a warning comment on dependabot contraint-layout updates. Since there is no way how to verify it works, I believe we just need to merge it and then test it on #14400.