Opt-in to allow writable tokens on Dependabot workflows #26805

asciimike · 2021-06-01T22:24:34Z

asciimike
Jun 1, 2021

Currently, Actions that run off Dependabot PRs don’t have writable tokens, as they are treated like PRs from forks (c.f.: GitHub Actions: Workflows triggered by Dependabot PRs will run with read-only permissions | GitHub Changelog).

Dependabot users in Dependabot cant read secrets anymore · Issue #3253 · dependabot/dependabot-core · GitHub have a desire to opt-in events to allow Dependabot triggered workflows to have writable tokens.

As an example:

name: Dependabot Workflow
on:
  pull_request
allow permissions to be up-scoped
permissions:

pull_requests: write
jobs:

do-stuff:

runs-on: ubuntu-latest

if: ${{ github.actor == 'dependabot[bot]' }}

steps:

- uses: ...

Answered by asciimike

Oct 11, 2021

The Actions team has shipped this feature: GitHub Actions: Workflows triggered by Dependabot PRs will respect permissions key in workflows | GitHub Changelog

View full answer

Simran-B · 2021-06-21T12:54:53Z

Simran-B
Jun 21, 2021

Should this topic be pinned? If I recall correctly, then there were quite a few other topics around this topic.

BTW: Does this also help in the following scenario?

I have a repository main and a repository other in the same org
A workflow is supposed to run in main and push a new branch to other
By default, the push to the other repo fails because of lack of permissions. I could use a PAT, but it would be strange to use one for an automation like this that should be attributed to the github actions bot.

0 replies

asciimike · 2021-10-11T20:07:06Z

asciimike
Oct 11, 2021
Author

The Actions team has shipped this feature: GitHub Actions: Workflows triggered by Dependabot PRs will respect permissions key in workflows | GitHub Changelog

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Opt-in to allow writable tokens on Dependabot workflows #26805

{{title}}

allow permissions to be up-scoped

Replies: 2 comments

{{title}}

{{title}}

Select a reply

GitHub Community

Opt-in to allow writable tokens on Dependabot workflows #26805

asciimike Jun 1, 2021

allow permissions to be up-scoped

Replies: 2 comments

Simran-B Jun 21, 2021

asciimike Oct 11, 2021 Author

asciimike
Jun 1, 2021

Simran-B
Jun 21, 2021

asciimike
Oct 11, 2021
Author