From 385846453fc3b08938d3f96c3f1ed9322a1764c3 Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Wed, 23 Apr 2025 18:08:35 +0200
Subject: [PATCH] Add Dependabot permissions warnings

---
 .../troubleshooting-dependabot-on-github-actions.md            | 3 +++
 .../automating-dependabot-with-github-actions.md               | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md
index 7af3d7da116d..ba9e670b4996 100644
--- a/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md
+++ b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md
@@ -82,6 +82,9 @@ jobs:
 
 By default, {% data variables.product.prodname_actions %} workflows triggered by {% data variables.product.prodname_dependabot %} get a `GITHUB_TOKEN` with read-only permissions. You can use the `permissions` key in your workflow to increase the access for the token:
 
+> [!WARNING]
+> Increasing the permissions for {% data variables.product.prodname_dependabot %} workflow runs can cause compromised dependencies to immediately infect your repository. Only grant the minimally required permissions to the workflow.
+
 {% raw %}
 
 ```yaml copy
diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md
index eab2af97fbfd..66af6278a3e7 100644
--- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md
+++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md
@@ -154,6 +154,9 @@ For more information, see [AUTOTITLE](/pull-requests/collaborating-with-pull-req
 
 You can instead use {% data variables.product.prodname_actions %} and the {% data variables.product.prodname_cli %}. Here is an example that automerges all patch updates to `my-dependency`:
 
+> [!WARNING]
+> Enabling automerge for {% data variables.product.prodname_dependabot %} pull requests can cause compromised dependencies to immediately infect your repository. Consider only automerging dependencies you fully trust, or adding additional checks which need to pass before the merge is performed.
+
 {% raw %}
 
 ```yaml copy