Dependabot doesn't see GitHub actions secrets

@YashdalfTheGray thanks a lot for sharing this. Please for me to clarify: did you maybe rerun the workflow?

What I see on the failure one is this:
The failed run


The successful one

and this behaviour happens to me as well when I rerun the Dependabot workflows, however I would be curious if you maybe added any special secret to Dependabot to make this work on the new PR?

1 Like

I didn’t, just added the secrets.

Since adding the secrets, dependabot PRs have been passing their CI checks (example).

Same here, depedabot builds are failing but when re-running the jobs GITHUB_TOKEN gets my user’s permissions and they pass. I couldn’t get the same behavior @YashdalfTheGray mentions…

As Dependabot Pull Requests are now handled like they were from forks, you can go into your Organization Settings → Actions and check all of those:

Hope that helps!

7 Likes

Good to know that there are these options available now. Nevertheless, it sounds like enabling them opens up a much larger security hole than what was addressed by hiding secrets from Dependabot PRs and making the default token read-only. By the look of it, enabling those will let anybody forking your repository steal your secrets and do any sorts of malicious actions with them. They only apply to private repositories which should already be restricted, meaning that they don’t address the issue with using Dependabot on public repositories.

1 Like

This configuration change addressed my organization CI problem! Thanks!

1 Like

I agree.
So is there way to tell that dependabot is able to read secrets?

That’s only available per organization level, which exposes a huge security risk compared to what one would like to achieve - give access to secrets only for dependabot. Maybe there could either be settings per repo or a list of users to whitelist.

1 Like

I know that this is a potential security risk and not a great solution, but I think for an organization with only private repositories it’s a “good-enough” workaround until there is a better solution.

This needs to be fixed.
Currently there are no secure way to have Dependabot access secrets in workflows.
Why aren’t the Dependabot secrets active in pull requests?

2 Likes

I have exactly same problem. I have a public repo with 2 access token stored as secrets. My dependabot pull requests started failing and I have to kick them off manually every time (which is far from perfect).

I setup my secrets (basically copied them) as per the official documentation: Managing encrypted secrets for Dependabot - GitHub Docs but dependabot still cannot read it.

Or… perhaps this option is not available to public repos or free accounts?

I actually switched from Travis 2 weeks ago and I’m thinking about switching back… My CI/CD is broken.

2 Likes

For my organization, the secret we’re having trouble with is Codecov on a private repository that we don’t allow forks of anyway, so I’m planning to include the Codecov token in the workflow yaml file instead of using a secret. This is not ideal, but because we do have public open source repositories in this organization that upload to PyPI, enabling that setting isn’t wise.

If this were not an option, it seems that splitting up our organization into two, one for public and one for private repos, would be the next best option. I really hate to multiply organizations for that purpose, though.

1 Like

I too have this problem and I think it surfaced after going from legacy Dependabot to the GitHub native one (after merging its .github/dependabot.yml pull request).

I had secrets.GPR_TOKEN defined and working for my own pull requests, but Dependabot’s pull requests kept failing. After adding the secret under the Dependabot section in GitHub, some of Dependabot’s pull requests suddenly started working again, but not all.

While one is successful, another one fails. I’m unable to explain the discrepancy. If adding secrets used in a workflow as a “Dependabot secret” is supposed to work, it seems to be an undocumented, obscure and fragile feature. I at least can’t find any mention of it in the documentation.

3 Likes

Same issue on paid private account. PRs created by Dependabot cannot read secrets.

Fork pull request workflows section in Settings > Actions is greyed out and unable to amend that.

Added secrets in Repo Settings > Secrets > Dependabot

Bit stuck!

1 Like

Link: Dependabot cannot update this dependency (Private Registry) - #11 by david-guillot

This should be fixed…

Same issue here. Looks like there isn’t currently any way for dependabot to use secrets outside of opening up an organisation-wide security hole. This needs to be fixed