From 6cadca395f9cf4a2c3cd768dc5ed80203ec3ac3a Mon Sep 17 00:00:00 2001
From: forged-request <104775415+forged-request@users.noreply.github.com>
Date: Tue, 6 Jan 2026 10:38:52 +0100
Subject: [PATCH] chore: [SECURITY-1357] refine condition for dependabot
 approval in workflow

This change improves the security of the dependabot auto-approval workflow by:
- Checking the PR user login instead of github.actor
- Verifying the PR is from the same repository (not a fork)

This prevents potential security issues where forked PRs could be auto-approved.
---
 .github/workflows/dependabot-approve-and-request-merge.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot-approve-and-request-merge.yml b/.github/workflows/dependabot-approve-and-request-merge.yml
index a2c9b5de..4e055a21 100644
--- a/.github/workflows/dependabot-approve-and-request-merge.yml
+++ b/.github/workflows/dependabot-approve-and-request-merge.yml
@@ -8,7 +8,7 @@ jobs:
       contents: write
       id-token: write
     runs-on: ubuntu-latest
-    if: github.actor == 'dependabot[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
     steps:
       - uses: contentful/github-auto-merge@v1
         with: