Skip to content

fix: Use ubuntu-latest for dependabot workflow security#159

Merged
pannago merged 1 commit intomainfrom
PLT-3366_dependabot_update
Apr 8, 2026
Merged

fix: Use ubuntu-latest for dependabot workflow security#159
pannago merged 1 commit intomainfrom
PLT-3366_dependabot_update

Conversation

@pannago
Copy link
Copy Markdown
Contributor

@pannago pannago commented Apr 8, 2026

Summary

  • Update dependabot-automerge workflow to use GitHub-hosted runners (ubuntu-latest)

Changes

  • Update .github/workflows/dependabot-automerge.yml to use ubuntu-latest instead of ci-universal-scale-set

Context

The ci-universal-scale-set runners are not accessible to this repository (stuck in queue), causing dependabot PRs to wait indefinitely.

Using GitHub-hosted runners (ubuntu-latest) provides:

  • Better security for pull_request_target workflows
  • Ephemeral, isolated environments
  • No runner group configuration needed
  • Guaranteed availability

This workflow only approves/merges dependabot PRs and doesn't execute PR code, making GitHub-hosted runners the safest choice.

Related: PLT-3366

🤖 Generated with Claude Code

@pannago @claude
fix: Use ubuntu-latest for dependabot workflow security
20f48bf 
Use GitHub-hosted runners (ubuntu-latest) instead of self-hosted runners
for improved security with pull_request_target workflows. GitHub-hosted
runners provide better isolation and are ephemeral, reducing security risks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@pannago pannago requested a review from a team as a code owner April 8, 2026 10:59
@pr-auditor
Copy link
Copy Markdown

pr-auditor bot commented Apr 8, 2026

✅ Security Analysis Results

Great news! No security issues found in this pull request.

Analysis Summary:

  • 📁 Files reviewed: 1
  • ✅ No security vulnerabilities detected

Security analysis powered by Claude Sonnet 4.6 via pr-auditor | Questions? Contact #dx-team or check out this page

@gitstream-cm
Copy link
Copy Markdown

gitstream-cm bot commented Apr 8, 2026

🥷 Code experts: No results found

No code experts were identified for the files in this pull request based on git blame analysis.

This may occur when:

  • Files are new or have limited commit history
  • Git authors aren't mapped to current team members
  • Analysis thresholds need adjustment

If you expected to see expert suggestions, consider:

  • Reviewing your config.user_mapping settings

  • Adjusting the gt/lt parameters in your action

  • Verifying files have sufficient commit history

To learn more about /:\gitStream - Visit our Docs

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 8, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@pannago pannago merged commit c8fab5e into main Apr 8, 2026
12 checks passed
@pannago pannago deleted the PLT-3366_dependabot_update branch April 8, 2026 11:07
@typeform-ops-gha
Copy link
Copy Markdown

typeform-ops-gha commented Apr 8, 2026

🎉 This PR is included in version 2.10.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Thr44 Thr44 Thr44 approved these changes

@tf-rob-w tf-rob-w tf-rob-w approved these changes

Assignees

No one assigned

Labels

1 min review released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pannago @typeform-ops-gha @Thr44 @tf-rob-w