Dependabot GITHUB_TOKEN permissions & secret access is contradicting / incomplete

[Marcono1234]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

There are multiple parts of the documentation which say that Dependabot workflow runs act as if they are from a forked repository and therefore have limited privileges.

However, the documentation seems to be incomplete / contradicting:

• Some parts say that the token is read-only and there is no access to secrets
  • https://github.com/github/docs/blob/e2f952a115fc4cb3d34281b1fa472ac3cd33e7da/data/reusables/actions/workflow-runs-dependabot-note.md

  • docs/data/reusables/developer-site/pull_request_forked_repos_link.md

    Lines 17 to 18 in e2f952a

    	> [!NOTE]
    	> Workflows triggered by {% data variables.product.prodname_dependabot %} pull requests are treated as though they are from a forked repository, and are also subject to these restrictions.

• Some mention that the permissions can be increased, and secrets can be made accessible (but without
  linking to the relevant documentation)

  • docs/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md

    Line 9 in e2f952a

    1. You can provide workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and allow the `permissions` term to increase the default scope of the `GITHUB_TOKEN`.

  • https://github.com/github/docs/blame/e2f952a115fc4cb3d34281b1fa472ac3cd33e7da/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md#L26-L31
    (it is actually explained further down in the same document, but maybe it would be useful to directly link there?)
• GitHub enterprise has dedicated section which suggests changing configs

  • docs/content/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise.md

    Line 71 in e2f952a

    ### Providing workflows triggered by {% data variables.product.prodname_dependabot %} access to secrets and increased permissions

    
    (is this really needed or does the github.com approach work for enterprises as well and should be preferred because it is safer?)

The only sections which actually provide detailed information seem to be:

• Section about Dependabot secrets
  https://github.com/github/docs/blame/e2f952a115fc4cb3d34281b1fa472ac3cd33e7da/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md#L45
• Section about how to increase permissions
  https://github.com/github/docs/blame/e2f952a115fc4cb3d34281b1fa472ac3cd33e7da/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md#L81

What part(s) of the article would you like to see updated?

• If possible please consolidate the information
• Remove contradictions
• Add links so that the sections not only say "you can increase permissions, you can access secrets", but also link to the relevant sections about how to do it
• Document the security concerns / the rationale why the token has read-only permissions by default and why there are dedicated Dependabot secrets, so that users are hopefully careful with changing this

Additional information

No response

[Sharra-writes]

Thanks so much for opening an issue! I'll get this triaged for review.

[github-actions]

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

[Sharra-writes]

@Marcono1234 Hi! I've have some SMEs who have been looking through your issues/PRs and I do need to follow up with them to see if they have anything to tell me, but this PR was just opened and merged today, and I don't know if it's related to/addresses any of your concerns. If you would be willing to take a look and let me know, that would be amazing. If not, that's fine, I'll ask around. It's just crazy with Build right now, and I don't know if anyone has the bandwidth to answer my questions.