I have Dependabot configured in my repository. As mentioned in numerous threads already, Dependabot recently rolled out a feature where GitHub secrets will not be available to Dependabot PRs. The documented solution for this is to change the trigger on a PR gate workflow from using
pull_request_target. Since the Dependabot PRs are essentially fork PRs, this will result in the workflows being run in the context of the base of the PR.
The problems I’m seeing with using
pull_request_target as the trigger is that it seems to prevent you from making changes to a GitHub Actions workflow because it uses what’s in the base branch not what’s in the PR. I think this is the same reason why people are also having issues with workflows with
pull_request_target getting picked up (I assume this is when they are submitting a PR that is creating the PR workflow).
pull_request_target set as triggers will run the workflows twice so that’s not a solution.
How can this be addressed?