Dependabot merges PRs that do not pass CI

[raxod502]

Looks like the CI errors noted in #32 were introduced by #31 being auto-merged by

syntax_tree-haml/.github/workflows/main.yml

Lines 28 to 41 in 8dac220

	automerge:
	name: AutoMerge
	needs: ci
	runs-on: ubuntu-latest
	if: github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]'
	steps:
	- uses: actions/github-script@v3
	with:
	script: |
	github.pulls.merge({
	owner: context.payload.repository.owner.login,
	repo: context.payload.repository.name,
	pull_number: context.payload.pull_request.number
	})

despite some checks not passing:

For some reason the same CI was run twice, but once as a no-op (which passed) and once with the actual tests (which failed). I think the GitHub Actions configuration needs to be updated somehow to prevent that.

[raxod502]

Looks like this is (partially) because pull_request_target is the wrong trigger to use. Per docs, it fully ignores the head of the PR and only runs against the base branch, so, of course will pass despite bad code in PR.

I think what we want is a trigger (or action) that will run against a synthesized merge commit instead.

[kddnewton]

Ugh... I kind of knew this might be wrong and didn't know how to fix it. Thanks for catching, I'll see what I can find. If you know how to fix this I would appreciate the help as well!

[raxod502]

Fixed in #38.