Kevin Stillhammer 2ff70eebcc Harden Dependabot build workflow (#788) ...

## Summary
- keep the Dependabot build workflow single-job, but harden it a bit
- replace `git-auto-commit-action` with explicit `git` commands and
step-scoped push auth
- add concurrency, a timeout, stricter Dependabot gating, and a guard
for moved PR heads

## Why
The workflow currently fails in the commit step because
`actions/checkout` uses `persist-credentials: false`, but
`git-auto-commit-action` later tries to push via `origin` without any
credentials:

```
fatal: could not read Username for 'https://github.com': No such device or address
```

This change fixes that failure while keeping credentials scoped to the
push step instead of persisting them for the whole job.

## Details
- require `github.event.pull_request.user.login == 'dependabot[bot]'`
- also require the PR head repo to match `github.repository`
- also require the head ref to start with `dependabot/`
- check out the exact PR head SHA
- run `npm ci --ignore-scripts`
- disable git hooks before commit
- skip the dist commit if the PR head moved during the run

## Validation
- `actionlint .github/workflows/dependabot-build.yml`

2026-03-07 12:05:51 +01:00

..

codeql-analysis.yml

Bump github/codeql-action from 4.31.9 to 4.32.2 (#766)

2026-02-27 19:14:15 +01:00

dependabot-build.yml

Harden Dependabot build workflow (#788)

2026-03-07 12:05:51 +01:00

release-drafter.yml

Bump release-drafter/release-drafter from 6.1.0 to 6.2.0 (#743)

2026-02-03 14:15:27 +01:00

test.yml

Bump eifinger/actionlint-action from 1.10.0 to 1.10.1 (#778)

2026-03-02 12:57:21 +01:00

update-known-versions.yml

Bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (#751)

2026-02-06 16:37:27 +01:00

update-major-minor-tags.yml

Bump actions/checkout from 6.0.1 to 6.0.2 (#740)

2026-02-04 08:58:03 +01:00