From 09e55b8816f3f5303b830e5295f2cd63833da756 Mon Sep 17 00:00:00 2001
From: Kyle McDonald <kyle@knock.app>
Date: Wed, 11 Mar 2026 09:42:39 -0500
Subject: [PATCH 1/2] fix: dependabot changeset script error

---
 .github/workflows/dependabot-changeset.yml | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/dependabot-changeset.yml b/.github/workflows/dependabot-changeset.yml
index fc4b7fcd9..e2b4712d4 100644
--- a/.github/workflows/dependabot-changeset.yml
+++ b/.github/workflows/dependabot-changeset.yml
@@ -39,15 +39,7 @@ jobs:
             echo "ref=$PR_REF_FROM_EVENT" >> "$GITHUB_OUTPUT"
           fi
 
-      # Checkout the base branch to get the trusted version of the script,
-      # then checkout the PR branch on top to get the package.json changes.
-      - name: Checkout base branch
-        uses: actions/checkout@v4
-        with:
-          ref: main
-          token: ${{ secrets.KNOCK_ENG_BOT_GITHUB_TOKEN }}
-          path: base
-
+      # Checkout the PR branch for package.json analysis and committing.
       - name: Checkout PR branch
         uses: actions/checkout@v4
         with:
@@ -55,6 +47,16 @@ jobs:
           token: ${{ secrets.KNOCK_ENG_BOT_GITHUB_TOKEN }}
           fetch-depth: 2
 
+      # Checkout the trusted script from main into a subdirectory.
+      # This ensures we never execute code from an untrusted PR branch
+      # when triggered via workflow_dispatch.
+      - name: Checkout trusted script from main
+        uses: actions/checkout@v4
+        with:
+          ref: kyle-kno-11961-automate-changeset-for-dependabot-dependencies-2 # TODO: change back to main before merging
+          sparse-checkout: .github/scripts
+          path: .trusted
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -65,7 +67,7 @@ jobs:
         env:
           PR_TITLE: ${{ steps.pr.outputs.title }}
           PR_NUMBER: ${{ steps.pr.outputs.number }}
-        run: node base/.github/scripts/dependabot-changeset.js
+        run: node .trusted/.github/scripts/dependabot-changeset.js
 
       - name: Commit and push changeset
         if: steps.changeset.outputs.created == 'true'

From 6f5674281ccf551559911d83d497a497efa93538 Mon Sep 17 00:00:00 2001
From: Kyle McDonald <kyle@knock.app>
Date: Wed, 11 Mar 2026 09:51:00 -0500
Subject: [PATCH 2/2] chore: change back to main

---
 .github/workflows/dependabot-changeset.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot-changeset.yml b/.github/workflows/dependabot-changeset.yml
index e2b4712d4..16e43c737 100644
--- a/.github/workflows/dependabot-changeset.yml
+++ b/.github/workflows/dependabot-changeset.yml
@@ -53,7 +53,7 @@ jobs:
       - name: Checkout trusted script from main
         uses: actions/checkout@v4
         with:
-          ref: kyle-kno-11961-automate-changeset-for-dependabot-dependencies-2 # TODO: change back to main before merging
+          ref: main
           sparse-checkout: .github/scripts
           path: .trusted