Troubleshooting failures when Dependabot triggers existing workflows
After you set up Dependabot updates for GitHub.com, you may see failures when existing workflows are triggered by Dependabot events.
By default, GitHub Actions workflow runs that are triggered by Dependabot from push
, pull_request
, pull_request_review
, or pull_request_review_comment
events are treated as if they were opened from a repository fork. Unlike workflows triggered by other actors, this means they receive a read-only GITHUB_TOKEN
and do not have access to any secrets that are normally available. This will cause any workflows that attempt to write to the repository to fail when they are triggered by Dependabot.
There are three ways to resolve this problem:
- You can update your workflows so that they are no longer triggered by Dependabot using an expression like:
if: github.actor != 'dependabot[bot]'
. For more information, see "Evaluate expressions in workflows and actions." - You can modify your workflows to use a two-step process that includes
pull_request_target
which does not have these limitations. For more information, see "Automating Dependabot with GitHub Actions." - You can provide workflows triggered by Dependabot access to secrets and allow the
permissions
term to increase the default scope of theGITHUB_TOKEN
. For more information, see "Automating Dependabot with GitHub Actions" and "Workflow syntax for GitHub Actions."