From baede24c4839193b5739c1bdd05cfbd5e511ae57 Mon Sep 17 00:00:00 2001
From: Paulina <paulina@typeform.com>
Date: Wed, 8 Apr 2026 12:59:23 +0200
Subject: [PATCH] fix: Use ubuntu-latest for dependabot workflow security

Use GitHub-hosted runners (ubuntu-latest) instead of self-hosted runners
for improved security with pull_request_target workflows. GitHub-hosted
runners provide better isolation and are ephemeral, reducing security risks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/dependabot-automerge.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
index adf3f9f9..bd569ba3 100644
--- a/.github/workflows/dependabot-automerge.yml
+++ b/.github/workflows/dependabot-automerge.yml
@@ -10,7 +10,7 @@ permissions:
 
 jobs:
   dependabot:
-    runs-on: [ci-universal-scale-set]
+    runs-on: ubuntu-latest
     if: github.actor == 'dependabot[bot]'
 
     steps: