From 2d0f1abc6d74501074a679267137a3d3540af100 Mon Sep 17 00:00:00 2001
From: "Leona B. Campbell" <3880403+runleonarun@users.noreply.github.com>
Date: Mon, 8 Mar 2021 15:37:26 -0800
Subject: [PATCH] [Ready to ship on March 4] Adding workflow note about
 dependabot token (#17918)

* adding workflows note about dependabot token

* reworded a little to make active

* Update data/reusables/actions/workflow-runs-dependabot-note.md

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
---
 content/actions/reference/authentication-in-a-workflow.md  | 2 ++
 .../keeping-your-actions-up-to-date-with-dependabot.md     | 2 ++
 data/reusables/actions/workflow-runs-dependabot-note.md    | 7 +++++++
 3 files changed, 11 insertions(+)
 create mode 100644 data/reusables/actions/workflow-runs-dependabot-note.md

diff --git a/content/actions/reference/authentication-in-a-workflow.md b/content/actions/reference/authentication-in-a-workflow.md
index a4a0b047a43e..8805da3d9f0f 100644
--- a/content/actions/reference/authentication-in-a-workflow.md
+++ b/content/actions/reference/authentication-in-a-workflow.md
@@ -95,6 +95,8 @@ For information about the API endpoints {% data variables.product.prodname_githu
 | repository projects | read/write | read |
 | statuses | read/write  | read |
 
+{% data reusables.actions.workflow-runs-dependabot-note %}
+
 If you need a token that requires permissions that aren't available in the `GITHUB_TOKEN`, you can create a personal access token and set it as a secret in your repository:
 
 1. Use or create a token with the appropriate permissions for that repository. For more information, see "[Creating a personal access token](/github/authenticating-to-github/creating-a-personal-access-token)."
diff --git a/content/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot.md b/content/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot.md
index e489fec42f88..4e6c7b54b8ef 100644
--- a/content/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot.md
+++ b/content/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot.md
@@ -13,6 +13,8 @@ versions:
 
 Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. When you enable {% data variables.product.prodname_dependabot_version_updates %} for {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will help ensure that references to actions in a repository's *workflow.yml* file are kept up to date. For each action in the file, {% data variables.product.prodname_dependabot %} checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. If a more recent version of the action is available, {% data variables.product.prodname_dependabot %} will send you a pull request that updates the reference in the workflow file to the latest version. For more information about {% data variables.product.prodname_dependabot_version_updates %}, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot-version-updates)." For more information about configuring workflows for {% data variables.product.prodname_actions %}, see "[Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions)."
   
+{% data reusables.actions.workflow-runs-dependabot-note %}
+
 ### Enabling {% data variables.product.prodname_dependabot_version_updates %} for actions
 
 {% data reusables.dependabot.create-dependabot-yml %} If you have already enabled {% data variables.product.prodname_dependabot_version_updates %} for other ecosystems or package managers, simply open the existing *dependabot.yml* file.
diff --git a/data/reusables/actions/workflow-runs-dependabot-note.md b/data/reusables/actions/workflow-runs-dependabot-note.md
new file mode 100644
index 000000000000..1e61585baaf4
--- /dev/null
+++ b/data/reusables/actions/workflow-runs-dependabot-note.md
@@ -0,0 +1,7 @@
+{% if currentVersion == "free-pro-team@latest" %}
+{% note %}
+
+**Note:**  Pull requests for {% data variables.product.prodname_dependabot %} version updates will trigger workflow runs with a read-only `GITHUB_TOKEN`. These workflow runs will not be granted access to any secrets. 
+
+{% endnote %}
+{% endif %}