Fix dependabot auto-merge

[yonatankarp]

Summary by CodeRabbit

• Security

  • Reduced exposure by removing the target-based PR workflow trigger.
  • Applied least-privilege permissions to the Dependabot auto-merge job.

• Chores

  • Streamlined PR workflow to run only on standard pull request events.
  • Updated auto-merge conditions to rely on the Dependabot actor.
  • Standardized the token used for Dependabot merges.
  • No changes to existing linting or pipeline jobs.

• No User-Facing Changes

  • Application behavior and UI remain unchanged.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The workflow .github/workflows/pull_request.yml now triggers only on pull_request events. The dependabot_auto_merge job’s condition checks only the actor, explicit job permissions were added, and the secret name used for the merge token was changed. No other jobs or linters were modified.

Changes

Cohort / File(s)

Summary

Workflow trigger and Dependabot auto-merge updates .github/workflows/pull_request.yml

- Removed on.pull_request_target trigger; retained on.pull_request. - dependabot_auto_merge: if changed from github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]' to github.actor == 'dependabot[bot]'. - Added job permissions: contents: write, pull-requests: write. - Secrets mapping renamed from GITHUB_PAT to DEPENDABOT_MERGE_TOKEN pointing to the same ${{ secrets.REVIEWER_GITHUB_TOKEN }}.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Dev as GitHub Actor
    participant GH as GitHub Events
    participant WF as PR Workflow
    participant Job as dependabot_auto_merge

    Dev->>GH: Open/Update PR
    GH-->>WF: Trigger on pull_request
    alt Actor is dependabot[bot]
        WF->>Job: Evaluate if condition (actor == 'dependabot[bot]')
        Job->>Job: Use permissions (contents, pull-requests: write)
        Job->>GH: Merge via DEPENDABOT_MERGE_TOKEN
    else Other actors
        WF--x Job: Skip dependabot_auto_merge job
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A rabbit taps the merge drum tight,
Pulls on threads of PR light—
Triggers trimmed, permissions neat,
Bots now hop on merging feet.
Secrets swapped with careful care,
Carrots signed, approved to share.
Thump—another tidy hare-itage!

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4056a54 and 8db7d18.

📒 Files selected for processing (1)

• .github/workflows/pull_request.yml (1 hunks)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-auto-merge

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}