Revert to pull_request trigger after pull_request_target rejection #29
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
So I don't get lost in why each write permission is necessary.
There's no value in reading the CI status while reacting to Dependabot PRs, as the interesting statuses are not updated until afterwards in time because CI takes longer to complete.
This avoids the security concern of checking out untrusted PR code while running with pull_request_target permissions, which grants write access to the repository.
The pull_request_target trigger was intended to satisfy OIDC requirements for Claude Code's GitHub app impersonation, but this approach does not work with Dependabot PRs. See anthropics/claude-code-action#713
The major job now runs for all ecosystems, not just github_actions. GitHub Actions-specific guidance is preserved in a conditional section within the prompt itself.
There was a problem hiding this comment.
Pull request overview
This PR reverts from pull_request_target to pull_request trigger in the Dependabot workflow due to backend rejection issues with the Claude GitHub app. The change accepts that Claude jobs will fail when Dependabot updates the workflow file itself, but mitigates this by removing checkout steps and minimizing third-party actions, making such updates less frequent.
Key Changes:
- Switched trigger from
pull_request_targetback topull_request - Removed
actions/checkout@v4steps from Claude review jobs - Updated Claude prompts to use
gh pr diffandgh pr viewcommands instead of relying on checked-out code
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Prompts now clarify there is no local checkout available. Minor reviews allow gh pr diff, view, and review (but not merge). Major reviews restrict to comment-only with explicit disallow rules for approval commands.
3 tasks
danielorbach
added a commit
that referenced
this pull request
Dec 3, 2025
Replaces four separate jobs (metadata, patch, minor, major) with a single "mergeview" job using conditional steps. This addresses several issues with the multi-job approach: - **Eliminated job output declarations** - No longer need to explicitly pass metadata outputs between jobs via `needs.metadata.outputs.*` - **Reduced workflow overhead** - Single job avoids queuing delays between dependent jobs - **Simplified conditional logic** - Step-level `if:` conditions are easier to follow than job-level dependencies All existing behavior is preserved: patch auto-approval, Claude reviews for minor/major updates, and selective auto-merge. Note: merging #29 into main worked but with minor glitches. This PR also fixes them. See details in each commit. ## Test plan - [ ] Verify patch update triggers auto-approve and auto-merge - [ ] Verify minor update triggers Claude review then auto-merge - [ ] Verify major update triggers Claude review without auto-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Completes the Dependabot review workflow in the effort to close #4.
Neither
pull_requestnorpull_request_targettriggers work reliably when Dependabot updates this workflow file:pull_requestfails OIDC validation because the workflow file in the PR differs from main (Fix OIDC validation for Dependabot workflow self-updates #25)pull_request_targetwas supposed to fix this by running from main, but the Claude GitHub app backend rejects it anyway (OIDC token exchange rejects pull_request_target events anthropics/claude-code-action#713)The pragmatic solution: revert to
pull_requestand minimize the actions used in this file. By stripping down to justghCLI commands (no checkout, no third-party actions beyonddependabot/fetch-metadataandanthropics/claude-code-action), Dependabot will rarely need to update this file—sidestepping the OIDC issue entirely.When Dependabot does update this file, Claude jobs will fail, but the patch/minor auto-approve logic still runs since those jobs don't use Claude.