[ci] Pass --repo to gh pr view in dependabot auto-merge workflow

[petebacondarwin]

The dependabot-auto-merge workflow (originally landed in #13852) failed on its first real run against PR #14003 (job log) with:

failed to run git: fatal: not a git repository (or any of the parent directories): .git
##[error]Process completed with exit code 1.

Cause. The verify step calls gh pr view "$PR_NUMBER" --json commits. When given a bare PR number, gh figures out the repo by shelling out to git remote -v. This workflow deliberately omits actions/checkout (per the security comment in the file — pull_request_target + checkout of PR code is the standard pwn vector), so there's no .git directory and gh exits 1. set -euo pipefail then aborts the script before the fail() helper can run, so the step turns red instead of cleanly skipping auto-merge with a warning annotation.

The downstream gh pr merge "$PR_URL" calls don't hit this because they're passed the full HTML URL.

Fix. Pass --repo "$REPO" explicitly to the two gh pr view calls, matching the convention used in c3-e2e.yml, rerun-remote-tests.yml, rerun-codeowners-privileged.yml, and actions/check-remote-tests/action.yml. Replaced the inline ${{ github.repository }} expansion in the gh api URL with $REPO so the verify step has one source of truth.

---

• Tests
  • Tests included/updated
  • Automated tests not possible - manual testing has been completed as follows: The workflow only triggers on pull_request_target, so it can't be unit-tested. Once this lands, the next dependabot[bot] workerd-bump PR (daily, ~06:00 UTC) will exercise the fix. We can also force it sooner by triggering a synchronize event on build(deps): bump the workerd-and-workers-types group across 1 directory with 2 updates #14003 (e.g. @dependabot rebase) — pull_request_target workflows use the workflow file from main, so the fix will be picked up automatically.
  • Additional testing not necessary because:
• Public documentation
  • Cloudflare docs PR(s):
  • Documentation not necessary because: Internal CI workflow change, no user-facing surface.

---

[changeset-bot]

⚠️ No Changeset found

Latest commit: f325d82

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[workers-devprod]

Codeowners approval required for this PR:

• ✅ @cloudflare/wrangler

Show detailed file reviewers

[ask-bonk]

LGTM

github run

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[workers-devprod]

Codeowners reviews satisfied

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@14005

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@14005

miniflare

npm i https://pkg.pr.new/miniflare@14005

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@14005

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@14005

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@14005

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@14005

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@14005

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@14005

wrangler

npm i https://pkg.pr.new/wrangler@14005

commit: f325d82