Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> I have never seen anyone auto-merge Dependabot PR automatically using GitHub Action.

For better or worse, it's a pattern that GitHub explicitly documents[1].

(An earlier version of this page also recommended `pull_request_target`, hence the long tail of public repositories that use it.)

[1]: https://docs.github.com/en/code-security/dependabot/working-...




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: