Skip to main content

Troubleshooting Dependabot on GitHub Actions

This article provides troubleshooting information for issues you may encounter when using Dependabot with GitHub Actions.

Troubleshooting failures when Dependabot triggers existing workflows

After you set up Dependabot updates for GitHub.com, you may see failures when existing workflows are triggered by Dependabot events.

By default, GitHub Actions workflow runs that are triggered by Dependabot from push, pull_request, pull_request_review, or pull_request_review_comment events are treated as if they were opened from a repository fork. Unlike workflows triggered by other actors, this means they receive a read-only GITHUB_TOKEN and do not have access to any secrets that are normally available. This will cause any workflows that attempt to write to the repository to fail when they are triggered by Dependabot.

There are three ways to resolve this problem:

  1. You can update your workflows so that they are no longer triggered by Dependabot using an expression like: if: github.actor != 'dependabot[bot]'. For more information, see "Evaluate expressions in workflows and actions."
  2. You can modify your workflows to use a two-step process that includes pull_request_target which does not have these limitations. For more information, see "Automating Dependabot with GitHub Actions."
  3. You can provide workflows triggered by Dependabot access to secrets and allow the permissions term to increase the default scope of the GITHUB_TOKEN. For more information, see "Automating Dependabot with GitHub Actions" and "Workflow syntax for GitHub Actions."