From 1da3d9123f937682de073c0b772dae21fbb2dc48 Mon Sep 17 00:00:00 2001
From: Soutaro Matsumoto <matsumoto@soutaro.com>
Date: Tue, 27 Aug 2024 12:33:14 +0900
Subject: [PATCH] Make dependabot workflow safer

---
 .github/workflows/dependabot.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
index 90690ef..04bcfd1 100644
--- a/.github/workflows/dependabot.yml
+++ b/.github/workflows/dependabot.yml
@@ -11,8 +11,14 @@ env:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
+      - name: Dependabot metadata
+        uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 # v2.2.0
+        id: metadata
+      - name: Abort if Dependabot metadata doesn't set
+        run: exit 1
+        if: ${{ !startsWith(steps.metadata.outputs.update-type, 'version-update:') }}
       - name: Checkout repository
         uses: actions/checkout@v4
         with: