mesh-2092: secure from parameter injection

james-bradley-nhs · james-bradley-nhs · commit 7dcd6f78453d · 2026-01-13T11:14:49.000Z
diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ startsWith(github.event.pull_request.head.ref, 'dependabot/') && github.event.pull_request.head.ref || github.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
 
       - name: Install Python 3.11
