Opt-in to allow secrets on Dependabot workflows

Currently, Actions that run off Dependabot PRs don’t have access to secrets, as they are treated like PRs from forks (c.f.: GitHub Actions: Workflows triggered by Dependabot PRs will run with read-only permissions | GitHub Changelog).

Dependabot users in Dependabot cant read secrets anymore · Issue #3253 · dependabot/dependabot-core · GitHub have a desire to opt-in to allow Dependabot triggered workflows access to secrets.

As an example:

name: Dependabot Workflow
on:
  pull_request

jobs:
  do-stuff:
    runs-on: ubuntu-latest
    **can-access-secrets: true**
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - uses: ...

Or:

name: Dependabot Workflow
on:
  pull_request

jobs:
  do-stuff:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - uses: ...
         with: 
           some-secret-value: ${{allow_insecure_secret_access.MY_SECRET}}
9 Likes