I’m about ready to migrate away from Dependabot in favor of a hand-rolled Action that runs with a proper token because of all the noise from failed builds. Are there any plans to make this a nicer experience?
Running into the same issue, we have test and branch-deploy actions that we want to execute on dependabot PRs that are no longer working due to their lack of access to these secrets.
Would you mind sharing a bit more detail on how you made dependabot work with the
This is the code I have for
push: branches: - PMC* pull_request_target: branches-ignore: - PMC*
Our project key is PMC, and we have a separate file that deals with builds happening on the
I actually don’t think the
branch-ignore property works, so this could do the same job:
on: push: branches: - PMC* pull_request_target:
I had played around with setting
'dependabot/**', but that didn’t work so I removed it, but you could try it yourself.
If you do a site-wide search in git for “dependabot/**” you’ll be able to find other Workflow files that might help you move in the right direction.
We have addressed it by moving the merge code into a GH App hosted outside of the action we use in our workflows. Described in more detail here: Automating Dependabot with our GitHub app - NearForm
I’d just like to point out this duplicate thread. Perhaps some of the suggestions there are of help to anyone (unfortunately they have not been for me).
Seems like it’s for reference in
dependabot.yml, and workflows are still using