Coming up on March 1st, GitHub, changing the way GitHub Actions work with Dependabot PRs. This change will treat all these Dependabot PRs as forks to your repo, so they will not have access to things like the GITHUB_TOKEN token. So if you're using Dependabot in any of your projects, consider changing over to pull_request_target after reading up on the recent GitHub Actions Security vulnerabilities research.
I have an example workflow that dumps the context of the runner in my Action logs. This is helpful if you don't want to use tmate or similar to debug. It's an excellent little debugging tool.
name: dump
on:
pull_request:
jobs:
dump:
runs-on: ubuntu-latest
steps:
- name: Dump context
uses: crazy-max/ghaction-dump-context@v1
Per the changelog, I can update it to use pull_request_target so it has access to the GITHUB_TOKEN with write access. But I also only want dependabot PRs leveraging this workflow. To do this, I can add a conditional expression to my workflow that checks that the github.actor is only 'dependabot[bot]'.
name: dump
on:
pull_request:
jobs:
dump:
runs-on: ubuntu-latest
steps:
- name: Dump context
if: github.actor == 'dependabot[bot]' // added condiontal
uses: crazy-max/ghaction-dump-context@v1
Now the conditional will skip the workflow step if the actor is not 'dependabot[bot]'. But what if I want to fail the workflow from human contributors? I can inverse the conditional, but I can also add a failure, but running exit 1 like so.
name: dump
on:
pull_request:
jobs:
dump:
runs-on: ubuntu-latest
steps:
- name: Dump context
if: github.actor == 'dependabot[bot]'
run: exit 1 // added failure
- name: the dump
uses: crazy-max/ghaction-dump-context@v1
But keep in mind if you have a conditional, and it's not dependent by any don't want a failure, it'll just skip the job.
I hope you found this helpful. Be sure to keep an eye on the GitHub Changelog for future Action updates, as well as other features.
This is part of my 28 days of Actions series. To get notified of more GitHub Action tips, follow the GitHub organization right here on Dev. Learn how to build action with Node.js
02:13
Top comments (1)
Nice! I still feel is a bit hacky, but! I really like how you have solved the inconvenience GitHub has created for all of us using dependabot and integrating with third-party services. In my case, it is the upload of coverage being sent to codecov what started to fail. I can live without the codecoverage not being sent to codecov on every new PR that is created by the bot, so that will be it! haha Thank you!