npm-run-package: try harder only to trigger on Dependabot PRs

The workflow will fail on other PRs because the environment with the
secret token is scoped to only handle PRs originating from the same
repository.

Signed-off-by: Johannes Schindelin <[email protected]>

Author: dscho

.github/workflows/npm-run-package.yml

@@ -9,6 +9,8 @@ on:
     paths:
       - package.json
       - package-lock.json
+    branches:
+      - 'dependabot/**'
   workflow_dispatch:
     inputs:
       branch: