Enhance GitHub Actions workflows by adding issue permissions in auto-merge dependabot configuration and refining label addition logic to only include existing labels. Update Trivy scan step to clarify its execution context as local docker.

lazarevtill · lazarevtill · commit 7eff021bb606 · 2025-08-08T18:38:36.000+02:00
diff --git a/.github/workflows/auto-merge-dependabot.yml b/.github/workflows/auto-merge-dependabot.yml
@@ -7,6 +7,7 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  issues: write
 
 jobs:
   automerge:
@@ -19,20 +20,19 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Add labels
+      - name: Add existing labels only
         uses: actions/github-script@v7
         with:
           script: |
-            const labels = ['dependencies'];
-            if (['version-update:semver-minor','version-update:semver-patch'].includes('${{ steps.meta.outputs.update-type }}')) {
-              labels.push('automerge');
+            const wanted = ['dependencies'];
+            const { data: repoLabels } = await github.rest.issues.listLabelsForRepo({ owner: context.repo.owner, repo: context.repo.repo, per_page: 100 });
+            const existing = new Set(repoLabels.map(l => l.name.toLowerCase()));
+            const toAdd = wanted.filter(n => existing.has(n));
+            if (toAdd.length) {
+              await github.rest.issues.addLabels({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.payload.pull_request.number, labels: toAdd });
+            } else {
+              core.info('No matching existing labels to add');
             }
-            await github.rest.issues.addLabels({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.payload.pull_request.number,
-              labels,
-            });
 
       - name: Enable auto-merge (squash) for non-major updates
         if: steps.meta.outputs.update-type != 'version-update:semver-major'
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -41,10 +41,11 @@ jobs:
         with:
           context: .
           push: false
+          load: true
           tags: lcm:ci-scan
           build-args: |
             TORCH_INDEX_URL=https://download.pytorch.org/whl/cpu
-      - name: Trivy scan image
+      - name: Trivy scan image (local docker)
         id: trivy
         uses: aquasecurity/trivy-action@0.22.0
         with:
