ci: pr auto approve: Validate event sender

John Andersen · web-flow · commit 52cdc712c1ba · 2024-07-12T08:52:11.000-07:00
diff --git a/.github/workflows/00_pr_auto_approve.yml b/.github/workflows/00_pr_auto_approve.yml
@@ -35,12 +35,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
-    # if: ${{ github.event_name == 'repository_dispatch' && contains(fromJson('["dependabot[bot]", "github-actions[bot]", "pdxjohnny"]'), github.event.actor) }}
-    if: github.event_name != 'pull_request_review'
+    if: ${{ github.event_name == 'repository_dispatch' && contains(fromJson('["github-actions[bot]", "pdxjohnny"]'), github.event.sender.login) && contains(fromJson('["dependabot[bot]", "github-actions[bot]", "pdxjohnny"]'), github.event.client_payload.actor) }}
     steps:
-      - shell: cat -v {0}
-        run: ${{ toJSON(github.event) }}
-
       - name: Harden Runner
         uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
@@ -49,11 +45,11 @@ jobs:
       - uses: hmarr/auto-approve-action@8f929096a962e83ccdfa8afcf855f39f12d4dac7 # v4
         with:
           review-message: "LGTM"
-          pull-request-number: ${{ github.event.pull_request.number }}
+          pull-request-number: ${{ github.event.client_payload.pull_request.number }}
 
       - env:
           GH_TOKEN: ${{ github.token }}
-          PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
+          PULL_REQUEST_NUMBER: ${{ github.event.client_payload.pull_request.number }}
         run: |
           set -x
           gh pr merge --rebase "${PULL_REQUEST_NUMBER}"
