fix(.github/workflows): scope dependabot-auto-merge token permissions to job level

markuslf · markuslf · commit 9398ba60ca74 · 2026-05-01T11:14:37.000+02:00
Move the contents/pull-requests write scopes from the top-level
permissions block down to the job that actually uses them, and
restrict the workflow's default token to read-all. Matches the
pattern used by the other Linuxfabrik workflows and clears the
OpenSSF Scorecard Token-Permissions finding for this workflow.
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -1,25 +1,26 @@
-name: "Linuxfabrik: Dependabot auto-merge"
+name: 'Linuxfabrik: Dependabot auto-merge'
 
 on:
-  pull_request:
+  pull_request: {}
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: 'read-all'
 
 jobs:
   auto-merge:
-    runs-on: ubuntu-latest
-    if: github.actor == 'dependabot[bot]'
+    runs-on: 'ubuntu-latest'
+    if: 'github.actor == ''dependabot[bot]'''
+    permissions:
+      contents: 'write'
+      pull-requests: 'write'
     steps:
 
-      - uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
-        id: meta
+      - uses: 'dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98' # v3.1.0
+        id: 'meta'
 
       - if: >-
           steps.meta.outputs.update-type == 'version-update:semver-patch'
           || steps.meta.outputs.update-type == 'version-update:semver-minor'
-        run: gh pr merge --auto --squash "$PR_URL"
+        run: 'gh pr merge --auto --squash "$PR_URL"'
         env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: '${{ github.event.pull_request.html_url }}'
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+
+* **ci**: Scope `GITHUB_TOKEN` permissions in the dependabot-auto-merge workflow to the job level, with top-level now `read-all`. Matches the pattern used by the other Linuxfabrik workflows and addresses the OpenSSF Scorecard `Token-Permissions` finding.
+
 ### Breaking Changes
 
 Build, CI/CD:
