Fix Dependabot PRs failing due to missing secrets#697
Merged
sami-alajrami merged 3 commits intomainfrom Mar 17, 2026
Merged
Conversation
Problem Dependabot PRs were triggering the Main workflow via the push event, but GitHub withholds repository secrets from Dependabot-initiated runs. This caused jobs requiring secrets (tests, Snyk scans, Kosli reporting) to fail, blocking the PRs from being merged. Solution Dependabot branches are excluded from the push trigger. Instead, a pull_request_target trigger handles Dependabot PRs — this event runs in the context of the base branch and has full access to repository secrets. A guard (github.actor == 'dependabot[bot]') ensures the secrets-bearing path is only reachable by Dependabot, not arbitrary external PRs. A checkout_ref input is threaded through all reusable workflows so each job checks out the PR head commit rather than the base branch.
AlexKantor87
approved these changes
Mar 12, 2026
mbevc1
approved these changes
Mar 12, 2026
Contributor
|
LGTM, but just to check here if I open a PR on a fork and change that conditional to allow triggering on my workflow would I still be able to get secrets? Also what secrets are we trying to protect, just Snyk or something else? |
Contributor
Author
No, because the workflow YAML that runs is the one from the main branch, not the one from the fork.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Dependabot PRs were triggering the Main workflow via the push event, but GitHub withholds repository secrets from Dependabot-initiated runs. This caused jobs requiring secrets (tests, Snyk scans, Kosli reporting) to fail, blocking the PRs from being merged.
Solution
Dependabot branches are excluded from the push trigger. Instead, a pull_request_target trigger handles Dependabot PRs — this event runs in the context of the base branch and has full access to repository secrets. A guard (github.actor == 'dependabot[bot]') ensures the secrets-bearing path is only reachable by Dependabot, not arbitrary external PRs. A checkout_ref input is threaded through all reusable workflows so each job checks out the PR head commit rather than the base branch.
Security concern
Code execution from untrusted ref is a risk with pull_request_target. The if guard ensures only Dependabot triggers the secret-bearing path, which is good. However, if Dependabot's account were ever compromised (or a malicious dependency update shipped code in a pre-install script), we would be running that code with full secrets access.
If we are not happy to take that risk, we might have to find another way to update dependencies as the alternative it to duplicate all needed secrets for Dependabot in github which causes significant maintenance ovverhead.