TL;DR: if: github.actor == 'dependabot[bot]' can be exploited if it's composed with a dangerous trigger (like pull_request_target), since an attacker can open up a PR that's been manipulated such that the last actor/activity on the PR is Dependabot.

dependabot, dependabot[bot], and renovate[bot] are probably the main ones.

Ref: https://www.synacktiv.com/publications/github-actions-exploitation-dependabot