If you’ve ever encountered failed builds triggered by Dependabot pull requests updating dependencies, due to missing secrets, you’re not alone. The root cause lies in how GitHub handles secrets in workflows triggered by Dependabot. In this post, we’ll explain the problem, the solution, and best practices to handle Dependabot-triggered workflows effectively.
The Problem: Missing GitHub Actions Secrets for Dependabot
When a workflow is triggered by a Dependabot event, the secrets context available to the workflow differs from workflows triggered by other events. Specifically:
- GitHub Actions secrets are not available for workflows triggered by Dependabot.
- Only Dependabot secrets are accessible to such workflows.
This means any secrets your workflow relies on—like tokens for accessing private registries or deploying code—must be configured as Dependabot secrets. Otherwise, workflows triggered by Dependabot will fail.
This design decision was made to enhance security by isolating Dependabot workflows from potentially sensitive secrets in GitHub Actions. As explained in this GitHub issue comment, which I highly recommend you read, the change ensures that Dependabot, which operates independently of the repository owner, does not have unintended access to sensitive information. This helps to reduce risks in scenarios where Dependabot’s actions might be exploited.
The Solution: Using Dependabot Secrets
Dependabot secrets work similarly to GitHub Actions secrets but must be explicitly configured for workflows triggered by Dependabot. Here’s how to set them up:
Steps to Add Dependabot Secrets
-
Go to your repository’s main page on GitHub.
-
Under your repository name, click Settings. If you don’t see this tab, select the dropdown menu and choose Settings.
-
In the sidebar under Security, select Secrets and variables, then click Dependabot.
-
Click New repository secret.
-
Enter a name for your secret in the Name field (e.g., MY_SECRET_TOKEN).
-
Provide a value for the secret.
-
Click Add secret.
Once created, the secret will appear on the Dependabot secrets page, where you can update or remove it as needed.
It’s worth noting that unlike GitHub Actions secrets, Dependabot secrets are not available in the Github Actions extension for VS Code.
For more details, refer to the official GitHub documentation on Adding a repository secret for Dependabot.
Using Secrets in Your Workflow
Dependabot secrets are referenced in workflows the same way as GitHub Actions secrets. For example:
name: Build and Test
on:
push:
pull_request:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Use secret
run: echo "${{ secrets.MY_SECRET_TOKEN }}"
However, if your workflow is triggered by both Dependabot and other actors (like developers or GitHub Actions), you’ll need a strategy to ensure the correct secret is used in each case.
For more details on automating Dependabot workflows, see GitHub’s official documentation on Automating Dependabot with GitHub Actions.
Handling Workflows Triggered by Multiple Actors
If your workflow is triggered by Dependabot and other events, you have two options:
Option 1: Use Identical Secret Names
Store the required secret with the same name in both GitHub Actions secrets and Dependabot secrets. This simplifies your workflow, as you can reference the secret without conditions:
env:
MY_TOKEN: ${{ secrets.MY_SECRET_TOKEN }}
GitHub will automatically use the appropriate secret based on the triggering actor (e.g., Dependabot or a developer).
Option 2: Use Conditional Logic
If the secret names differ between GitHub Actions and Dependabot, use conditions to select the correct secret:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Set token based on actor
run: echo "${{ github.actor == 'dependabot[bot]' && secrets.DEPENDABOT_TOKEN || secrets.GITHUB_ACTIONS_TOKEN }}"
Best Practices for Dependabot Workflows
-
Always Configure Required Secrets: Ensure all secrets used in workflows triggered by Dependabot are added as Dependabot secrets.
-
Name Secrets Consistently: Use identical names for GitHub Actions and Dependabot secrets to simplify workflow logic.
-
Restrict Secret Access: Only add secrets to repositories where they are required. Use fine-grained permissions to limit exposure.