From e123e01546739d41380d20b6a5019d8fb36f668c Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <github@sebastianmendel.de>
Date: Mon, 5 Jan 2026 15:24:41 +0100
Subject: [PATCH] fix(ci): use PR author instead of actor for auto-merge check

The workflow was using github.actor which changes when someone
else pushes to a dependabot/renovate branch (e.g., to fix conflicts).
Using github.event.pull_request.user.login ensures we check the
actual PR author regardless of who triggered the synchronize event.
---
 .github/workflows/auto-merge-deps.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/auto-merge-deps.yml b/.github/workflows/auto-merge-deps.yml
index cae812d..661753a 100644
--- a/.github/workflows/auto-merge-deps.yml
+++ b/.github/workflows/auto-merge-deps.yml
@@ -14,7 +14,9 @@ jobs:
   auto-merge:
     name: Auto-merge dependency PRs
     runs-on: ubuntu-latest
-    if: github.actor == 'dependabot[bot]' || github.actor == 'renovate[bot]'
+    # Use PR author login instead of github.actor to handle synchronize events
+    # when someone else pushes to the dependabot/renovate branch
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]'
 
     steps:
       - name: Harden Runner
@@ -24,7 +26,7 @@ jobs:
 
       - name: Dependabot metadata
         id: metadata
-        if: github.actor == 'dependabot[bot]'
+        if: github.event.pull_request.user.login == 'dependabot[bot]'
         uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"