Depdendabot and secrets

Hi

i have a CI on our repository which looks like the following:

name: CI

on:
  push:
    branches:
      - master
    tags-ignore:
      - '*'
  pull_request:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - name: Checkout Github Action
        uses: actions/checkout@v2
        with:
          path: github-actions
          repository: myor/org-actions
          token: ${{ secrets.ORG_TOKEN }}

the OR_TOKEN is an organization secret which includes all needed permissions (PAT) and assigned to all private repos.
when users create PR and CI runs all good.
now, since moving to depdepdabot (from depdeabot-preview) when depdendabot creates new PR
it fails on the steps of checking out the github actions with the error it doesnt have supplied token. meaning ORG_TOKEN does not exist.
when rerunning the CI it pass.
i fail to understand why when PR created by depdendabot it cannot find the token.
i saw there is an option to add ‘depdendabot organization secret’ and i’ve also added it, but i dont understand why its needed as from my understanding adding secret and then use it with ‘password’ on the depdenabot.yml is for actually monitor the workflows directory which is not something we want.

any idea what i’m missing here?

10x

That is the result of a security fix from February. This changelog entry explains the rationale and possible alternatives:

1 Like