Update GitHub Actions PR validation logic

matifali · matifali · commit ed7875d6070f · 2025-01-31T14:11:25.000Z
Switch `release-labels` job trigger to `pull_request_target` and refine
`dependabot` automerge conditions by verifying `actor_id`. Enhance
logging for approval and merge steps to provide better visibility.
diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml
@@ -47,7 +47,7 @@ jobs:
   release-labels:
     runs-on: ubuntu-latest
     # Skip tagging for draft PRs.
-    if: ${{ github.event_name == 'pull_request' && !github.event.pull_request.draft }}
+    if: ${{ github.event_name == 'pull_request_target' && !github.event.pull_request.draft }}
     steps:
       - name: release-labels
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
diff --git a/.github/workflows/dependabot.yaml b/.github/workflows/dependabot.yaml
@@ -18,7 +18,7 @@ jobs:
   # Dependabot is annoying, but this makes it a bit less so.
   dependabot-automerge:
     runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'coder/coder'
+    if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.actor_id == 49699333 && github.repository == 'coder/coder'
     permissions:
       pull-requests: write
       contents: write
@@ -30,21 +30,25 @@ jobs:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Approve the PR
-        run: gh pr review --approve "$PR_URL"
+        run: |
+          echo "Approving $PR_URL"
+          gh pr review --approve "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
           GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
 
       - name: Enable auto-merge
-        run: gh pr merge --auto --squash "$PR_URL"
+        run: |
+          echo "Enabling auto-merge for $PR_URL"
+          gh pr merge --auto --squash "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
           GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
 
   dependabot-automerge-notify:
     # Send a slack notification when a dependabot PR is merged.
     runs-on: ubuntu-latest
-    if: github.event_name == 'push' && github.actor == 'github-actions[bot]'
+    if: github.event_name == 'push' && github.actor == 'github-actions[bot]' && github.actor_id == 41898282 && github.repository == 'coder/coder'
     steps:
       - name: Send Slack notification
         env:
