require-dependabot-automation-pull-request-trigger
Rule catalog ID: R112
Targeted pattern scopeโ
Workflows that automate Dependabot pull requests.
What this rule reportsโ
This rule reports Dependabot automation workflows that do not listen for pull_request.
Why this rule existsโ
Dependabot pull request automation should run where Dependabot actually creates pull requests. Requiring the pull_request trigger keeps the workflow attached to the right event surface.
โ Incorrectโ
on: [workflow_dispatch]
โ Correctโ
on:
pull_request:
branches: [main]
Additional examplesโ
This rule applies only when the workflow contains known Dependabot automation patterns such as dependabot/fetch-metadata or gh pr automation commands.
ESLint flat config exampleโ
import githubActions from "eslint-plugin-github-actions-2";
export default [githubActions.configs.security];
When not to use itโ
Disable this rule if your repository automates Dependabot outside pull_request workflows on purpose.