Add Dependabot permissions warnings

Marcono1234 · web-flow · commit 385846453fc3 · 2025-04-23T18:08:35.000+02:00
diff --git a/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md
@@ -82,6 +82,9 @@ jobs:
 
 By default, {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} get a `GITHUB_TOKEN` with read-only permissions. You can use the `permissions` key in your workflow to increase the access for the token:
 
+> [!WARNING]
+> Increasing the permissions for {% data variables.product.prodname_dependabot %} workflow runs can cause compromised dependencies to immediately infect your repository. Only grant the minimally required permissions to the workflow.
+
 {% raw %}
 
 ```yaml copy
diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md
@@ -154,6 +154,9 @@ For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-req
 
 You can instead use {% data variables.product.prodname_actions %} and the {% data variables.product.prodname_cli %}. Here is an example that automerges all patch updates to `my-dependency`:
 
+> [!WARNING]
+> Enabling automerge for {% data variables.product.prodname_dependabot %} pull requests can cause compromised dependencies to immediately infect your repository. Consider only automerging dependencies you fully trust, or adding additional checks which need to pass before the merge is performed.
+
 {% raw %}
 
 ```yaml copy
