List trusted workflows initialised by dependabot in PR checks

[ashlinchak]

In our organisation, we're using environment variables for accessing private packages and make Docker container builds as a part of CI checks. According to the latest changes with decreasing level of accessibility for dependabot now it's not possible to build the right workflow for PRs which are created by dependabot.

With the newest changes, dependabot can't get secrets on push and pull_request events, which we're using for our CI checks. According to this documentation, we're forced to create 2 workflows, e.g.:

name: Dependabot Push Check
on:
  push:
jobs:
  check_dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - run: echo "Push initiated by Dependabot"

name: Dependabot Trusted Workflow
on:
  workflow_run:
    workflows:
      - Dependabot Push Check
    types:
      - completed
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    steps:
      - name: Check out repository code
        uses: actions/checkout@v2
      - name: Run tests
        run: npm test
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

When depenedabot creates its PR, it'll have only 1 check in it:

Dependabot Push Check workflow triggers Dependabot Trusted Workflow but the last one is not part of CI checks for the PR.

Could we implement the feature where we could specify that the workflow is a part of PR checks?

Also, in our case, we need to have Dependabot Trusted Workflow workflow to be part of checks for PRs initialized not only dependabot but regular developers.

[jurre]

I believe your setup can be simplified with this recent change: https://github.blog/changelog/2021-10-06-github-actions-workflows-triggered-by-dependabot-prs-will-respect-permissions-key-in-workflows/, that should allow to to specify the needed permissions in a single workflow.

[ashlinchak]

@jurre Thank you for your response, this is great news around permissions. Could you please suggest how we could fix our workflow as the main issue for us is unable to get secrets for CI job which was triggered by dependabot?

According to provided by you link, this is still in progress:

In addition to the permissions change we are working to enable workflows triggered by Dependabot to use Dependabot secrets. This change will enable you to use those secrets to pull dependencies from private repositories.

[brrygrdn]

According to provided by you link, this is still in progress:

Unfortunately I don't have an ETA to share on shipping this change, but this is being actively worked on.

[jeffwidman]

I'm fairly sure this is the same underlying issue as:

• Dependabot PR's actions lost access to secrets #5464

So closing as a duplicate. If I'm misunderstanding something, please comment and we can reopen.