fix(ci): auto-label workflow fails on every Dependabot PR#4235
Merged
Conversation
The auto-label workflow failed on every Dependabot PR because it read github-token from secrets.DOCS_GH_PAT, which is stored in the Actions secret store. Dependabot-triggered runs only receive Dependabot secrets, so the token resolved to empty and the step errored with 'Input required and not supplied: github-token'. Switch to pull_request_target with the built-in GITHUB_TOKEN and an explicit pull-requests: write permission, removing the PAT dependency. Skip Dependabot PRs since they are already labeled by dependabot.yml (dependencies / type::security) and were previously mislabeled as type::feature/type::docs.
✅ Deploy Preview for replicated-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for replicated-docs-upgrade ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
mikhailswift
approved these changes
Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
Auto-label new PRsworkflow (auto-label.yml) fails on every Dependabot PR with:Root cause
The step reads
github-token: ${{ secrets.DOCS_GH_PAT }}. That secret lives in the Actions secret store, but Dependabot-triggered workflow runs only receive secrets from the separate Dependabot secret store (which is empty here). So on Dependabot PRs the token resolves to empty and the step errors. Human-authored PRs get the Actions secret, which is why only Dependabot PRs went red.Fix
pull_request_targetand use the built-inGITHUB_TOKENwith an explicitpermissions: pull-requests: write, removing the external-PAT dependency entirely. This workflow only adds static labels (never checks out or executes PR code), sopull_request_targetis safe here.if: github.actor != 'dependabot[bot]'). They are already labeled bydependabot.yml(dependencies/type::security), and the old workflow was additionally mislabeling them astype::feature/type::docs.Result
No more red X on Dependabot PRs, no more mislabeling, and no dependency on a PAT that has to be duplicated across two secret stores.