Dependabot doesn't see GitHub actions secrets

Hi,
I have a question on how to enable dependabot PRs GitHub Actions to see secrets of the repo.

The problem is

The question at the end is - How to run Actions which need secrets on Dependabot PRs?
Alternatively: How to pass API keys into these actions without secrets in a secure way?

Thanks for any ideas.

35 Likes

I tried to split my workflows into the one that will build the ‘pull request’ (urlaubsverwaltung/maven.yml at 552c2761b6144d092578295508398d877930ab70 · synyx/urlaubsverwaltung · GitHub) and the one that updates the dependabot branch with an additional commit from my workflow see urlaubsverwaltung/update-assets-manifest.yml at 552c2761b6144d092578295508398d877930ab70 · synyx/urlaubsverwaltung · GitHub. But this does not work because the triggered workflow with ‘workflow_run’ has the same context as the dependabot branch. So this build can also not receive the secrets. I have no glue what to try next now.

1 Like

Same issue for us here! Seems to be a recent thing as builds were working before but suddenly Dependabot builds can’t see secrets anymore. :thinking:

2 Likes

According to https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/ this is intentional.

8 Likes

Ah amazing! Great find! Thanks! :raised_hands:

1 Like

Thanks, I understand this is intentional which is at the end the problem - so far it seems like there isn’t a way how to make Dependabot to see secrets by now?
Allowing it being collaborator would be good enough :slight_smile:

3 Likes

Yes, there needs to be a solution. This is probably affecting a lot of projects. You can’t even do code coverage on a private project anymore. You either use secrets now, or you use dependabot.

1 Like

I agree, even if a repository is public but its CI workflow is using some secrets, which is a perfectly legitimate use case, those workflows won’t succeed anymore in Dependabot pull requests, which is basically broken.

2 Likes

We are dealing with this exact issues where our CI workflow fails for PRs created by Dependabot since it cannot read secret values. Huh.

1 Like

so I should commit docker hub token in plain text?

IMHO committing secrets is the only workaround, if your CI run needs it.

I would be totally fine with dependabot PRs not having commit permissions on the repo, if these still see the secrets.

I couldn’t make pull_request_target work for that case.

Maybe something new that has happened in the last few days but I’ve found this article about adding dependabot specific secrets that I’ve had success with in terms of getting the dependabot triggered builds to see repo secrets.

4 Likes

This is affecting me as well.

No success for me using the dependabot specific secrets as they seem to only work within dependabot.yml and not the workflow files

My use case is mainly external application secrets, and commenting on PRs with pronto

3 Likes

Did the pull request actions that dependabot opened have access to the dependabot secrets?

They did for me. Both PR and push had access to the dependabot secrets.

How are you using those in your workflow files, just ${{ secrets.SECRET_NAME }} like for regular secrets ?

1 Like

Yeah, just like regular secrets.

1 Like

I tried today the Dependabot secrets and it doesn’t seem to work for me.

These are the Dependabot secrets:

  • This is the first failed run by dependabot with secrets not being present, resulting in empty environment variables.
    Screenshot 2021-03-22 at 21.05.10

  • Definition of the env vars here.

  • This is the second successful run after manual rerun of failed workflow by myself.
    Screenshot 2021-03-22 at 21.07.33

@YashdalfTheGray - Could you please show a similar example which works for you? Or do you see any problem in what I’m sharing?

Yeah. So I defined my secrets just like you’ve done.

Then in my GitHub Actions file, I have something like this which just started working after the secrets got added under the dependabot section.

Had to create two posts since I’m a new user to put all the information down. But here are the results of my post above.

Before adding dependabot secrets

After adding dependabot secrets