Dependabot's PRs do not use available secrets

I’ve been working on setting up Dependabot within our organisation. After some false starts with the new private registry stuff, I have it working and it’s started to create PRs to update dependencies. So far, so good.

However, our CI tests are failing on all of Dependabot’s pull requests. These tests require some organisation secrets in order to run (so we can install dependencies). I guess that because Dependabot is not a member of the organisation, GitHub is deliberately blocking Dependabot’s access to the secrets.

So my question is, can we work around this somehow? Is there a way to grant Dependabot access to the repository secrets? Is there some other way we can get these CI tests to run without having to do it manually every time?

You can, but the odds are that you’ll be vulnerable to a supply-chain attack.