Add Dependabot auto-merge#52
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7603210fff
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| BRANCH_NAME="${{ github.event.workflow_run.head_branch }}" |
There was a problem hiding this comment.
github.event.workflow_run.head_branch is interpolated directly into BRANCH_NAME="..." in a shell script, so a branch name containing backticks triggers command substitution at assignment time. Because this workflow runs on workflow_run with contents: write/pull-requests: write, an attacker can open a PR from a branch like dependabot/...`` and get arbitrary shell execution before the later Dependabot author check runs. This creates a privilege-escalation path from untrusted branch names into a privileged workflow; treat the branch name as untrusted input and pass it via a safe channel (e.g., environment variable already escaped by Actions, or strict sanitization before shell evaluation).
Useful? React with 👍 / 👎.
1 participant
Enable automatic merging for Dependabot PRs after CI succeeds, and suppress semver major dependency updates for safety.