Fix Dependabot workflow: add --skip-install flag and error logging#2140
Merged
Fix Dependabot workflow: add --skip-install flag and error logging#2140
Conversation
The default GITHUB_TOKEN returns 403 on the /dependabot/alerts endpoint regardless of workflow permissions. The workflow now: - Uses DEPENDABOT_PAT secret (falls back to GITHUB_TOKEN) - Prints stderr log when the script produces no JSON output - Documents the PAT requirement at the top of the workflow A PAT with security_events scope must be added as a repo secret named DEPENDABOT_PAT for the workflow to function. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
TalZaccai
had a problem deploying
to
development-fork
GitHub Actions
Error
TalZaccai
had a problem deploying
to
development-fork
GitHub Actions
Error
TalZaccai
force-pushed
the
talzacc/security_script
branch
from
6d28438 to
1b2344e
Compare
TalZaccai
temporarily deployed
to
development-fork
GitHub Actions
Inactive
TalZaccai
temporarily deployed
to
development-fork
GitHub Actions
Inactive
TalZaccai
changed the title
TalZaccai
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The \ ix-dependabot-alerts\ workflow completed successfully but found zero packages. The stderr log (now printed thanks to the error logging fix) revealed:
\
Command failed (exit 139): pnpm install --frozen-lockfile
\\
Root cause: The script runs \pnpm install --frozen-lockfile\ at startup, but the workflow already installs dependencies. Running it again OOM-kills the runner (exit 139 = signal kill).
Changes
How to verify
Merge and re-run the workflow — it should now get past the install step and actually discover fixable packages.