Secrets only available on second GitHub Action run

Hi all!

We have a python repository that is using native dependabot. When dependabot creates a PR with dependency updates, secrets are not available on the first run of the PR validation GitHub Actions job. However if that job is restarted, then secrets are available.

We are using organization wide secrets. Could this be a bug?

Secrets not being available to Dependabot PR builds is intentional, to prevent certain security problems:

I assume the reason it works when you re-run the build is because then you (not Dependabot) are the actor of the event. :sweat_smile: That assumption comes from this thread: