fix(ci): replace dependabot-auto-merge workflow with Mergify rule#1310
Open
ambient-code[bot] wants to merge 1 commit intomainfrom
Open
fix(ci): replace dependabot-auto-merge workflow with Mergify rule#1310ambient-code[bot] wants to merge 1 commit intomainfrom
ambient-code[bot] wants to merge 1 commit intomainfrom
Conversation
Remove the `pull_request_target`-based GitHub Actions workflow for auto-merging Dependabot PRs and replace it with a Mergify pull_request_rule that auto-approves Dependabot PRs. The existing Mergify queue rules handle merging once CI checks pass. This eliminates the security-sensitive `pull_request_target` trigger while providing the same functionality through Mergify's native review action. Closes #862 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ktdreyer
reviewed
Apr 14, 2026
| actions: | ||
| review: | ||
| type: APPROVE | ||
| message: Automatically approved by Mergify |
Contributor
There was a problem hiding this comment.
@ambient-code this will be noisy. Don't comment on every PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/dependabot-auto-merge.yml— the only workflow using the security-sensitivepull_request_targettriggerpull_request_ruleto auto-approve Dependabot PRs via the nativereviewactionWhy
The
pull_request_targettrigger grants write permissions to forked PRs, making it a known attack vector. Mergify'sreviewaction provides the same auto-approve + auto-merge functionality without this risk.Reference: Mergify docs — Approve Dependabot Pull Requests
Closes #862
Test plan
🤖 Ambient Session