require-dependabot-bot-actor-guard

Rule catalog ID: R109

Targeted pattern scope

Jobs that automate Dependabot pull requests using dependabot/fetch-metadata or gh pr commands.

What this rule reports

This rule reports Dependabot automation jobs that do not guard execution on dependabot[bot].

Why this rule exists

Pull request automation should not run broadly on all pull requests when it is intended specifically for Dependabot. Requiring a Dependabot bot guard makes that safety boundary explicit.

❌ Incorrect

jobs:
  dependabot:
    runs-on: ubuntu-latest

✅ Correct

jobs:
  dependabot:
    if: github.event.pull_request.user.login == 'dependabot[bot]'
    runs-on: ubuntu-latest

Additional examples

This rule accepts either a job-level guard or step-level guards on the relevant automation steps.

ESLint flat config example

import githubActions from "eslint-plugin-github-actions-2";

export default [githubActions.configs.security];

When not to use it

Disable this rule if your automation intentionally handles both Dependabot and non-Dependabot pull requests in the same job.

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

Additional examples​

ESLint flat config example​

When not to use it​

Further reading​