Using PAT throws error "Input required and not supplied: github-token" about github-action-merge-dependabot HOT 5 CLOSED

Unless the document is wrong. Here is the use case for using the secrets in custom action and those secrets are defined inside dependabot.yml
https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets

This leads the next issue on how to allow this method to trigger workflows since the PR is treated as if it were coming from a forked repository. With github-action-merge-dependabot v2 where the dependabot-merge-action-app solution was used, it was able to trigger the workflow on push event, but v3 has switched to the new permissions config using GITHUB_TOKEN.

This is discussed inside #134 and there is no plan for reverting back to a backing API design.

from github-action-merge-dependabot.

It is expected behavior.
The actor of the workflow is dependabot which don't have to permission to read secrets of your organization or repo.
When you re-run the action, the actor will change to you and it have the access of secrets.

This behavior is explained in Github Docs.

Secrets are populated from Dependabot secrets. GitHub Actions secrets are not available.

If you need to pass the secrets to dependabot. Then, you need to follow the guide and edit dependabot.yml

from github-action-merge-dependabot.

@austins with v3 there is no way to trigger workflows as a result of a PR being automerged by the action. It's a compromise we accepted because it simplifies the architecture of the solution. In all honesty we realized it after the fact, but we're not planning to go back to the previous solution anyway. I believe v2 is probably still working, but it can stop working any time as we're not actively maintaining it.

from github-action-merge-dependabot.

It appears that GitHub workflows can be sent Dependabot secrets since November 30, 2021. Mixed sources made it hard to confirm this. This lines up with the doc @climba03003 linked to.

I've added the secrets that the workflow jobs need in the "Dependabot secrets" settings for the repo. I didn't have to modify the dependabot.yml file. I can confirm that this works. I hope this helps others who have a similar use case and need to run CI/CD workflows when they're triggered by the dependabot[bot] actor.

Thanks for the help, @climba03003, and the info, @simoneb! Closing this issue since it's not a bug with fastify/github-action-merge-dependabot. 😃

from github-action-merge-dependabot.

The actor being dependabot makes sense and would explain this issue. However, according to this forum thread where @simoneb also contributed to, it seems that Dependabot secrets is only for config options in dependabot.yml "so that Dependabot can update dependencies from private registries" and can't be used in the workflow where github-action-merge-dependabot is added as a job, unless things changed since a year ago.

So with:

permissions:
  pull-requests: write
  contents: write

This leads the next issue on how to allow this method to trigger workflows since the PR is treated as if it were coming from a forked repository. With github-action-merge-dependabot v2 where the dependabot-merge-action-app solution was used, it was able to trigger the workflow on push event, but v3 has switched to the new permissions config using GITHUB_TOKEN.

from github-action-merge-dependabot.