Dependabot PRs and Workflow Secrets

I’m about ready to migrate away from Dependabot in favor of a hand-rolled Action that runs with a proper token because of all the noise from failed builds. Are there any plans to make this a nicer experience?

2 Likes

Running into the same issue, we have test and branch-deploy actions that we want to execute on dependabot PRs that are no longer working due to their lack of access to these secrets.

Would you mind sharing a bit more detail on how you made dependabot work with the pull_request_target event?

This is the code I have for on:

  push:
    branches:
      - PMC*
  pull_request_target:
    branches-ignore:
      - PMC*

Our project key is PMC, and we have a separate file that deals with builds happening on the main branch.
I actually don’t think the branch-ignore property works, so this could do the same job:

on:
  push:
    branches:
      - PMC*
  pull_request_target:

I had played around with setting branch to 'dependabot/**', but that didn’t work so I removed it, but you could try it yourself.

If you do a site-wide search in git for “dependabot/**” you’ll be able to find other Workflow files that might help you move in the right direction.

We have addressed it by moving the merge code into a GH App hosted outside of the action we use in our workflows. Described in more detail here: Automating Dependabot with our GitHub app - NearForm

I’d just like to point out this duplicate thread. Perhaps some of the suggestions there are of help to anyone (unfortunately they have not been for me).

Seems like it’s for reference in dependabot.yml, and workflows are still using Actions secrets.