This pull request restores the auto-merging of dependabot PRs.
The event is switched to use
workflow_run, which runs with write permissions as so secrets (
ERGEBNIS_BOT_TOKEN) are available in the run.
for more information see: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
I have been unable to retain all conditions of the previous if statement, namely these.
github.event.pull_request.draft == false && (
github.event.action == 'opened' ||
github.event.action == 'reopened' ||
github.event.action == 'synchronize'
) && (
(github.actor == 'localheinz' && contains(github.event.pull_request.labels.*.name, 'merge'))
An alternative will have to be found if these are critical.