Opt-in to allow writable tokens on Dependabot workflows

Currently, Actions that run off Dependabot PRs don’t have writable tokens, as they are treated like PRs from forks (c.f.: GitHub Actions: Workflows triggered by Dependabot PRs will run with read-only permissions | GitHub Changelog).

Dependabot users in Dependabot cant read secrets anymore · Issue #3253 · dependabot/dependabot-core · GitHub have a desire to opt-in events to allow Dependabot triggered workflows to have writable tokens.

As an example:

name: Dependabot Workflow
on:
  pull_request

# allow permissions to be up-scoped
permissions:
  pull_requests: write

jobs:
  do-stuff:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - uses: ...
1 Like

Should this topic be pinned? If I recall correctly, then there were quite a few other topics around this topic.

BTW: Does this also help in the following scenario?

  • I have a repository main and a repository other in the same org
  • A workflow is supposed to run in main and push a new branch to other
  • By default, the push to the other repo fails because of lack of permissions. I could use a PAT, but it would be strange to use one for an automation like this that should be attributed to the github actions bot.