Summary
dependabot-automerge.yml trusts fetch-metadata's dependency-group output without inspecting the PR diff. A compromised Dependabot run could submit a patch-level bump whose diff also touches syncmap.go or a workflow.
Scope
Extend the auto-merge step to run gh pr diff and refuse to enable auto-merge if any path outside {go.mod, go.sum, .github/workflows/**} (for actions ecosystem) or {go.mod, go.sum} (for gomod) is modified.
Acceptance criteria
- Test PR with a crafted diff touching
syncmap.go is NOT auto-merged.
- Legitimate
go.mod/go.sum-only bumps are still auto-merged.
Source: devops.
Summary
dependabot-automerge.ymltrustsfetch-metadata'sdependency-groupoutput without inspecting the PR diff. A compromised Dependabot run could submit a patch-level bump whose diff also touchessyncmap.goor a workflow.Scope
Extend the auto-merge step to run
gh pr diffand refuse to enable auto-merge if any path outside{go.mod, go.sum, .github/workflows/**}(for actions ecosystem) or{go.mod, go.sum}(for gomod) is modified.Acceptance criteria
syncmap.gois NOT auto-merged.go.mod/go.sum-only bumps are still auto-merged.Source: devops.