- 
                Notifications
    You must be signed in to change notification settings 
- Fork 133
Fix permissions for the dependabot contraintlayout check #14570
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: trunk
Are you sure you want to change the base?
Conversation
| 📲 You can test the changes from this Pull Request in WooCommerce-Wear Android by scanning the QR code below to install the corresponding build.
 | 
| 📲 You can test the changes from this Pull Request in WooCommerce Android by scanning the QR code below to install the corresponding build. 
 | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR fixes permissions for a GitHub Actions workflow that posts warning comments on Dependabot constraint-layout updates. The workflow was failing due to insufficient permissions when attempting to write comments on pull requests.
- Changed trigger from pull_requesttopull_request_targetto enable write access
- Added explicit pull-requests: writepermission to allow comment posting
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|  | ||
| on: | ||
| pull_request: | ||
| pull_request_target: | 
    
      
    
      Copilot
AI
    
    
    
      Sep 4, 2025 
    
  
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using pull_request_target with Dependabot creates a security risk as it runs with write permissions in the context of the target repository. Consider adding explicit checks to verify the PR author is dependabot[bot] before any sensitive operations, or explore using pull_request with a GitHub token that has appropriate permissions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this is indeed it @malinajirka and we could use something like @wzieba did here: #14556
- Adding the permission at the top level instead:
permissions:
  pull-requests: write- Using the GH_TOKENenvironmental variable:
    env:
      PR_URL: ${{ github.event.pull_request.html_url }}
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}- And running the step with
      - name: Xyz
        ...
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"Then keep pull_request as is for now, then test it, wdyt? 🤔
This PR is an attempt at fixing the github action that drops a warning comment on dependabot contraint-layout updates. Since there is no way how to verify it works, I believe we just need to merge it and then test it on #14400.