The previous implementation checked `github.event.sender.login`, which
is whoever triggered the event (e.g., someone closing/reopening the PR).
This fixes it to check `github.event.pull_request.user.login` instead —
the PR author — so the workflow runs correctly whenever a
Dependabot-created PR is opened, synchronized, or reopened.
When Dependabot bumps dependencies in package.json, this workflow
automatically runs `npm run all` to rebuild the dist folder and commits
the changes back to the PR.
This ensures the compiled JavaScript in `dist/` stays in sync with
dependency updates.
**How it works:**
1. Triggers on PRs opened by `dependabot[bot]`
2. Runs `npm ci` and `npm run all` (build, check, package, test)
3. Commits any changes to `dist/` back to the PR branch
Uses `stefanzweifel/git-auto-commit-action` for the commit step.
