From 2bfefc62166b7fb2ef95919a67366249e6609eea Mon Sep 17 00:00:00 2001
From: Merlin Beutlberger <m.beutlberger@sap.com>
Date: Fri, 22 May 2026 15:42:48 +0200
Subject: [PATCH] ci: Harden workflows

- Scope release-please contents/pull-requests write permissions to the
  release-please job; publish jobs only need id-token: write
- Disable persist-credentials on checkouts that don't push to git
- Move repository.name interpolation into env var to avoid template
  injection in run blocks
- Replace spoofable github.actor check in dependabot-auto-merge with
  github.event.pull_request.user.login. Note: spoofing the dependabot
  actor alone is not sufficient to trigger the auto-merge step. The
  dependabot/fetch-metadata action only emits outputs for genuine
  dependabot PRs, so the merge step's check on
  steps.metadata.outputs.update-type would no-op on a spoofed run. The
  change closes the gap defensively.
---
 .github/workflows/dependabot-auto-merge.yml  | 2 +-
 .github/workflows/deploy-vitepress-docs.yaml | 6 ++++--
 .github/workflows/release-please.yml         | 7 ++++---
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 65bd4559a66..1d164dba0b5 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -11,7 +11,7 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.auto_merge == null }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.auto_merge == null }}
     steps:
       - name: Dependabot metadata
         id: metadata
diff --git a/.github/workflows/deploy-vitepress-docs.yaml b/.github/workflows/deploy-vitepress-docs.yaml
index 3affbfdaae7..821ca09e91e 100644
--- a/.github/workflows/deploy-vitepress-docs.yaml
+++ b/.github/workflows/deploy-vitepress-docs.yaml
@@ -28,11 +28,13 @@ jobs:
             GIT_COMMITTER_NAME: "OpenUI5 Bot"
             GIT_COMMITTER_EMAIL: "openui5@sap.com"
             GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            REPO_NAME: ${{ github.event.repository.name }}
         steps:
             - name: Checkout
               uses: actions/checkout@v6
               with:
                   fetch-depth: 0
+                  persist-credentials: false
             - name: Setup Node
               uses: actions/setup-node@v6
               with:
@@ -57,10 +59,10 @@ jobs:
               working-directory: internal/documentation
               run: |
                 # The base output
-                npm run build:vitepress -- --base="/${{ github.event.repository.name }}/${DOC_VERSION}/"
+                npm run build:vitepress -- --base="/${REPO_NAME}/${DOC_VERSION}/"
                 npm run build:assets -- ./dist
                 # The alias output
-                npm run build:vitepress -- --base="/${{ github.event.repository.name }}/${DOC_ALIAS}/" --outDir="dist-${DOC_ALIAS}"
+                npm run build:vitepress -- --base="/${REPO_NAME}/${DOC_ALIAS}/" --outDir="dist-${DOC_ALIAS}"
                 npm run build:assets -- ./dist-${DOC_ALIAS}
             - name: Build Schema
               working-directory: internal/documentation
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 3bfe68b6a8f..c96080dcd3c 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -5,13 +5,14 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   release-please:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       releases_created: ${{ steps.release.outputs.releases_created }}
     steps: