From a943613573f9ba55d39687dd1095159d84b86005 Mon Sep 17 00:00:00 2001
From: Merlin Beutlberger <m.beutlberger@sap.com>
Date: Fri, 22 May 2026 15:48:25 +0200
Subject: [PATCH 1/2] ci: Harden workflows

- Replace spoofable github.actor check in dependabot-auto-merge with
  github.event.pull_request.user.login. Note: spoofing the dependabot
  actor alone is not sufficient to trigger the auto-merge step. The
  dependabot/fetch-metadata action only emits outputs for genuine
  dependabot PRs, so the merge step's check on
  steps.metadata.outputs.update-type would no-op on a spoofed run. The
  change closes the gap defensively.
---
 .github/workflows/dependabot-auto-merge.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 60dfe5d..6c18fd0 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -11,7 +11,7 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
         id: metadata

From 65bfa5d6f279423e8965ce58b190419a8d86a36d Mon Sep 17 00:00:00 2001
From: Merlin Beutlberger <m.beutlberger@sap.com>
Date: Tue, 26 May 2026 17:21:39 +0200
Subject: [PATCH 2/2] ci: Mark husky commit-msg script executable

---
 .husky/commit-msg | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 .husky/commit-msg

diff --git a/.husky/commit-msg b/.husky/commit-msg
old mode 100644
new mode 100755