4

I have a GitHub action that runs tests in the CI on every pull request that is opened on my repo.

As part of the tests workflow, the job checkout several other repositories in the GitHub organization (all of them are private, same as my repo). Later the workflow uses the content checked out for the tests suites.

That works well on pull requests issued by our organization's contributors, but whenever this workflow runs on a PR that was issued by Dependabot - it fails as Dependabot PRs don't have the same secret access as other pull requests do.

My question is how can I provide this workflow with the capability of checking out other repos in the organization without exposing all of the secrets data to dependabot?

Thanks!

Webmaestro1
  • 81
  • 4

2 Answers2

3

whenever this workflow runs on a PR that was issued by Dependabot - it fails as Dependabot PRs don't have the same secret access as other pull requests do.

This should no longer (Nov./Dec. 2021) be the case:

GitHub Actions: Workflows triggered by Dependabot receive dependabot secrets.

GitHub Actions workflows triggered by Dependabot will now be sent the Dependabot secrets.

This change will enable you to pull from private package registries in your CI using the same secrets you have configured for Dependabot to use and will improve how Actions and Dependabot work together.

Learn more about using Actions and Dependabot together.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
0

A simple solution according to GitHub is to use the same token (or different ones but with same permissions), with the same name for both Actions and Dependabot

Accessing Secrets

...

If you have a workflow that will be triggered by Dependabot and also by other actors, the simplest solution is to store the token with the permissions required in an action and in a Dependabot secret with identical names. Then the workflow can include a single call to these secrets. If the secret for Dependabot has a different name, use conditions to specify the correct secrets for different actors to use. For examples that use conditions, see "Common automations" below.

...

Solution

Having generated a Personal Access Token (PAT), in your repository go to:

  • Settings>Secrets and variables>Actions
    • Under Repository secretes create a secret e.g. MY_PAT and paste the token
  • Settings>Secrets and variables>Dependabot
    • Under Repository secretes create a secret e.g. MY_PAT and paste the token
gnikit
  • 1,031
  • 15
  • 25