Comments (5)
Unless the document is wrong. Here is the use case for using the secrets
in custom action and those secrets
are defined inside dependabot.yml
https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets
This leads the next issue on how to allow this method to trigger workflows since the PR is treated as if it were coming from a forked repository. With github-action-merge-dependabot v2 where the dependabot-merge-action-app solution was used, it was able to trigger the workflow on push event, but v3 has switched to the new permissions config using GITHUB_TOKEN.
This is discussed inside #134 and there is no plan for reverting back to a backing API design.
from github-action-merge-dependabot.
It is expected behavior.
The actor of the workflow
is dependabot
which don't have to permission to read secrets
of your organization or repo.
When you re-run the action, the actor
will change to you and it have the access of secrets
.
This behavior is explained in Github Docs.
Secrets are populated from Dependabot secrets. GitHub Actions secrets are not available.
If you need to pass the secrets
to dependabot
. Then, you need to follow the guide and edit dependabot.yml
from github-action-merge-dependabot.
@austins with v3 there is no way to trigger workflows as a result of a PR being automerged by the action. It's a compromise we accepted because it simplifies the architecture of the solution. In all honesty we realized it after the fact, but we're not planning to go back to the previous solution anyway. I believe v2 is probably still working, but it can stop working any time as we're not actively maintaining it.
from github-action-merge-dependabot.
It appears that GitHub workflows can be sent Dependabot secrets since November 30, 2021. Mixed sources made it hard to confirm this. This lines up with the doc @climba03003 linked to.
I've added the secrets that the workflow jobs need in the "Dependabot secrets" settings for the repo. I didn't have to modify the dependabot.yml
file. I can confirm that this works. I hope this helps others who have a similar use case and need to run CI/CD workflows when they're triggered by the dependabot[bot]
actor.
Thanks for the help, @climba03003, and the info, @simoneb! Closing this issue since it's not a bug with fastify/github-action-merge-dependabot
. 😃
from github-action-merge-dependabot.
The actor
being dependabot makes sense and would explain this issue. However, according to this forum thread where @simoneb also contributed to, it seems that Dependabot secrets is only for config options in dependabot.yml
"so that Dependabot can update dependencies from private registries" and can't be used in the workflow where github-action-merge-dependabot
is added as a job, unless things changed since a year ago.
So with:
permissions:
pull-requests: write
contents: write
This leads the next issue on how to allow this method to trigger workflows since the PR is treated as if it were coming from a forked repository. With github-action-merge-dependabot
v2 where the dependabot-merge-action-app
solution was used, it was able to trigger the workflow on push
event, but v3 has switched to the new permissions
config using GITHUB_TOKEN.
from github-action-merge-dependabot.
Related Issues (20)
- Major version update is auto-merged with target set to minor HOT 16
- "Fetch metadata" step is skipped for "pull_request_target"
- Release pending!
- Clarify meaning of "target" option HOT 1
- Receiving 'Warning: Semver bump '' is invalid!' message HOT 3
- Fail with meaningful error in case an unsupported trigger is used HOT 1
- remove semver as dep HOT 1
- deprecation warning in test/log.test.js HOT 1
- use nearform-actions HOT 1
- remove gitdiff-parser as dependency HOT 1
- use esbuild instead of ncc
- Feature: Allow defining targets per pattern or group
- replace husky with @fastify/pre-commit
- use taprc and show coverage report HOT 1
- Suppress warning in CI/CD pipeline HOT 1
- remove @actions/github HOT 1
- Output does not seem to appear HOT 2
- Frequently see error "Pull request is in unstable status" (but all validation checks pass) HOT 4
- Release pending!
- Does This Work with Multiple "needs"? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from github-action-merge-dependabot.