Dependabot and internal repos #5269
-
Would be nice if it were more obvious how to setup Dependabot to work with internal repo's that have workflows that access secrets, while there seems to be documentation around this (pull_request_target), I haven't seen a clear example of a workflow that demonstrates how this should be done. Dependabot happily creates PRs, but the workflows fail because they cannot access the secrets they depend on. My workaround is to manually replicate the changes dependabot suggests and submit my own pull request, feels like there's gotta be a better way. The documentation about pull_request_target suggests there are security implications for using this trigger, but given it isn't a public repo, is this even a concern? If not, it would be good if the documentation reflected this as context is important. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Hi @tyson-benson , I agree the current state is not very satisfactory, as it requires some work setting this up correctly. Here's an example which should work: name: My Workflow
on:
pull_request:
# for dependabot, see: https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-841656411
pull_request_target:
jobs:
test:
if: |
(github.event_name == 'pull_request' && github.actor != 'dependabot[bot]') ||
(github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]')
name: Run Tests
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
... Couple of things to note:
As for the security implications:
|
Beta Was this translation helpful? Give feedback.
Hi @tyson-benson ,
I agree the current state is not very satisfactory, as it requires some work setting this up correctly. Here's an example which should work: