## Summary
- keep the Dependabot build workflow single-job, but harden it a bit
- replace `git-auto-commit-action` with explicit `git` commands and
step-scoped push auth
- add concurrency, a timeout, stricter Dependabot gating, and a guard
for moved PR heads
## Why
The workflow currently fails in the commit step because
`actions/checkout` uses `persist-credentials: false`, but
`git-auto-commit-action` later tries to push via `origin` without any
credentials:
```
fatal: could not read Username for 'https://github.com': No such device or address
```
This change fixes that failure while keeping credentials scoped to the
push step instead of persisting them for the whole job.
## Details
- require `github.event.pull_request.user.login == 'dependabot[bot]'`
- also require the PR head repo to match `github.repository`
- also require the head ref to start with `dependabot/`
- check out the exact PR head SHA
- run `npm ci --ignore-scripts`
- disable git hooks before commit
- skip the dist commit if the PR head moved during the run
## Validation
- `actionlint .github/workflows/dependabot-build.yml`
The previous implementation checked `github.event.sender.login`, which
is whoever triggered the event (e.g., someone closing/reopening the PR).
This fixes it to check `github.event.pull_request.user.login` instead —
the PR author — so the workflow runs correctly whenever a
Dependabot-created PR is opened, synchronized, or reopened.
When Dependabot bumps dependencies in package.json, this workflow
automatically runs `npm run all` to rebuild the dist folder and commits
the changes back to the PR.
This ensures the compiled JavaScript in `dist/` stays in sync with
dependency updates.
**How it works:**
1. Triggers on PRs opened by `dependabot[bot]`
2. Runs `npm ci` and `npm run all` (build, check, package, test)
3. Commits any changes to `dist/` back to the PR branch
Uses `stefanzweifel/git-auto-commit-action` for the commit step.
