Reputation: 91
CI Tests fail on Dependabot pull requests
I have a GitHub action that runs tests in the CI on every pull request that is opened on my repo.
As part of the tests workflow, the job checkout several other repositories in the GitHub organization (all of them are private, same as my repo). Later the workflow uses the content checked out for the tests suites.
That works well on pull requests issued by our organization's contributors, but whenever this workflow runs on a PR that was issued by Dependabot - it fails as Dependabot PRs don't have the same secret access as other pull requests do.
My question is how can I provide this workflow with the capability of checking out other repos in the organization without exposing all of the secrets data to dependabot?
Thanks!
Upvotes: 5
Views: 2555
Answers (2)
Reputation: 1291
A simple solution according to GitHub is to use the same token (or different ones but with same permissions), with the same name for both Actions and Dependabot
Accessing Secrets
...
If you have a workflow that will be triggered by Dependabot and also by other actors, the simplest solution is to store the token with the permissions required in an action and in a Dependabot secret with identical names. Then the workflow can include a single call to these secrets. If the secret for Dependabot has a different name, use conditions to specify the correct secrets for different actors to use. For examples that use conditions, see "Common automations" below.
...
Solution
Having generated a Personal Access Token (PAT), in your repository go to:
Settings>Secrets and variables>Actions- Under
Repository secretescreate a secret e.g.MY_PATand paste the token
- Under
Settings>Secrets and variables>Dependabot- Under
Repository secretescreate a secret e.g.MY_PATand paste the token
- Under
Upvotes: 0
Reputation: 1327324
whenever this workflow runs on a PR that was issued by Dependabot - it fails as Dependabot PRs don't have the same secret access as other pull requests do.
This should no longer (Nov./Dec. 2021) be the case:
GitHub Actions: Workflows triggered by Dependabot receive dependabot secrets.
GitHub Actions workflows triggered by Dependabot will now be sent the Dependabot secrets.
This change will enable you to pull from private package registries in your CI using the same secrets you have configured for Dependabot to use and will improve how Actions and Dependabot work together.
Learn more about using Actions and Dependabot together.
Upvotes: 3
Related Questions
- GitHub Actions - Ignore or exclude Dependabot Pull Requests
- Enable GitHub Dependabot Updates for actions used in Composite actions
- Distinguishing between Dependabot security and version update pull requests?
- Check if the artifacts are generated and exist in GitHub CI
- How to use dependabot secrets in GitHub CI workflow
- How to trigger dependabot scan on developer pull requests
- How to auto-reject a pull request if tests are failing (Github actions)
- Dependabot cannot create a pull request as one or more other dependencies require a version that is incompatible with this update
- GitHub invokes CI build after a pull request
- GitLab-CI job fail when having a dependency on a previous manual job