From 9b3b6fcdb23a693137df53744251af7dc3b4acc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roberto=20Jim=C3=A9nez=20S=C3=A1nchez?=
 <roberto.jimenez@grafana.com>
Date: Tue, 12 Aug 2025 14:40:03 +0200
Subject: [PATCH] Security: Fix actor spoofing vulnerability in Dependabot
 workflow (#109519)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace github.actor with github.event.pull_request.user.login to prevent
actor context spoofing in pull requests from forks. This ensures only
genuine Dependabot PRs can trigger the workspace update workflow.

Fixes zizmor security finding with Medium confidence level.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Claude <noreply@anthropic.com>
---
 .github/workflows/pr-dependabot-update-go-workspace.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pr-dependabot-update-go-workspace.yml b/.github/workflows/pr-dependabot-update-go-workspace.yml
index b0dbc68c266..5e9eb65c81e 100644
--- a/.github/workflows/pr-dependabot-update-go-workspace.yml
+++ b/.github/workflows/pr-dependabot-update-go-workspace.yml
@@ -17,7 +17,7 @@ permissions:
 jobs:
   update:
     runs-on: "ubuntu-latest"
-    if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
     continue-on-error: true
     steps:
     - name: Retrieve GitHub App secrets