#evals failing for dependabot bumps

You can ignore that one - it's not blocking, and we have to be paranoid about where it can run because it needs a bunch of credentials. We can maybe tune the config to skip dependabot PRs, not sure why exactly these don't have access. Currently the workflow checks if the PR is from a branch on the same repo, which these are, but maybe secrets are disabled for dependabot PRs? (maybe Gerhard (PTO, pardon the ping) @frozen eagle knows more details on that)