isolated-db-branches

No clear indicator of malware is present in this workflow snippet. However, the job has moderate security risk due to (1) elevated GitHub permissions and automated PR merging, (2) an unpinned global install of neonctl at runtime (supply-chain surface), and (3) reliance on pnpm scripts to generate/apply migrations that will be committed and auto-merged. If repository scripts or dependencies were compromised, the workflow could propagate malicious or unintended changes into main. Recommend pinning neonctl to an exact version/digest, pinning GitHub actions to immutable references, and reducing token permissions or adding review gates for auto-merge.