Skip to content

fix(ci): auto-label workflow fails on every Dependabot PR#4235

Merged
AmberAlston merged 1 commit into
mainfrom
fix/auto-label-dependabot
Jul 6, 2026
Merged

fix(ci): auto-label workflow fails on every Dependabot PR#4235
AmberAlston merged 1 commit into
mainfrom
fix/auto-label-dependabot

Conversation

@AmberAlston

Copy link
Copy Markdown
Member

Problem

The Auto-label new PRs workflow (auto-label.yml) fails on every Dependabot PR with:

Error: Input required and not supplied: github-token

Root cause

The step reads github-token: ${{ secrets.DOCS_GH_PAT }}. That secret lives in the Actions secret store, but Dependabot-triggered workflow runs only receive secrets from the separate Dependabot secret store (which is empty here). So on Dependabot PRs the token resolves to empty and the step errors. Human-authored PRs get the Actions secret, which is why only Dependabot PRs went red.

Fix

  • Switch the trigger to pull_request_target and use the built-in GITHUB_TOKEN with an explicit permissions: pull-requests: write, removing the external-PAT dependency entirely. This workflow only adds static labels (never checks out or executes PR code), so pull_request_target is safe here.
  • Skip Dependabot PRs (if: github.actor != 'dependabot[bot]'). They are already labeled by dependabot.yml (dependencies / type::security), and the old workflow was additionally mislabeling them as type::feature/type::docs.

Result

No more red X on Dependabot PRs, no more mislabeling, and no dependency on a PAT that has to be duplicated across two secret stores.

The auto-label workflow failed on every Dependabot PR because it read
github-token from secrets.DOCS_GH_PAT, which is stored in the Actions
secret store. Dependabot-triggered runs only receive Dependabot secrets,
so the token resolved to empty and the step errored with 'Input required
and not supplied: github-token'.

Switch to pull_request_target with the built-in GITHUB_TOKEN and an
explicit pull-requests: write permission, removing the PAT dependency.
Skip Dependabot PRs since they are already labeled by dependabot.yml
(dependencies / type::security) and were previously mislabeled as
type::feature/type::docs.
@AmberAlston AmberAlston requested a review from a team as a code owner July 6, 2026 20:57
@netlify

netlify Bot commented Jul 6, 2026

Copy link
Copy Markdown

Deploy Preview for replicated-docs ready!

Name Link
🔨 Latest commit 1525bbd
🔍 Latest deploy log https://app.netlify.com/projects/replicated-docs/deploys/6a4c16c064f3940008cfdaa4
😎 Deploy Preview https://deploy-preview-4235--replicated-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify

netlify Bot commented Jul 6, 2026

Copy link
Copy Markdown

Deploy Preview for replicated-docs-upgrade ready!

Name Link
🔨 Latest commit 1525bbd
🔍 Latest deploy log https://app.netlify.com/projects/replicated-docs-upgrade/deploys/6a4c16c064f3940008cfdaa8
😎 Deploy Preview https://deploy-preview-4235--replicated-docs-upgrade.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@AmberAlston AmberAlston requested a review from mikhailswift July 6, 2026 20:59
@AmberAlston AmberAlston merged commit 348d00e into main Jul 6, 2026
5 checks passed
@AmberAlston AmberAlston deleted the fix/auto-label-dependabot branch July 6, 2026 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants