Coming up on March 1st, GitHub, changing the way GitHub Actions work with Dependabot PRs. This change will treat all these Dependabot PRs as forks to your repo, so they will not have access to things like the GITHUB_TOKEN token. So if you're using Dependabot in any of your projects, consider changing over to pull_request_target after reading up on the recent GitHub Actions Security vulnerabilities research.
I have an example workflow that dumps the context of the runner in my Action logs. This is helpful if you don't want to use tmate or similar to debug. It's an excellent little debugging tool.
name: dump on: pull_request: jobs: dump: runs-on: ubuntu-latest steps: - name: Dump context uses: crazy-max/ghaction-dump-context@v1
Per the changelog, I can update it to use pull_request_target so it has access to the GITHUB_TOKEN with write access. But I also only want dependabot PRs leveraging this workflow. To do this, I can add a conditional expression to my workflow that checks that the
github.actor is only
name: dump on: pull_request: jobs: dump: runs-on: ubuntu-latest steps: - name: Dump context if: github.actor == 'dependabot[bot]' // added condiontal uses: crazy-max/ghaction-dump-context@v1
Now the conditional will skip the workflow step if the actor is not
'dependabot[bot]'. But what if I want to fail the workflow from human contributors? I can inverse the conditional, but I can also add a failure, but running
exit 1 like so.
name: dump on: pull_request: jobs: dump: runs-on: ubuntu-latest steps: - name: Dump context if: github.actor == 'dependabot[bot]' run: exit 1 // added failure - name: the dump uses: crazy-max/ghaction-dump-context@v1
But keep in mind if you have a conditional, and it's not dependent by any don't want a failure, it'll just skip the job.
I hope you found this helpful. Be sure to keep an eye on the GitHub Changelog for future Action updates, as well as other features.
This is part of my 28 days of Actions series. To get notified of more GitHub Action tips, follow the GitHub organization right here on Dev. Learn how to build action with Node.js