Dependabot can't read repo secrets upon manual retry anymore

[jcscottiii]

Previously when dependabot created a PR, it would fail on the deploy to staging part because it could not access the gcloud secret. (Reasons why this happens 1 & 2). As a workaround, a developer with access to the repository could re-run the job. The job would succeed because it used the permissions of the person re-running the pipeline (which had access to the secrets). This is no longer the case. Seems like a new thing that occurred: dependabot/dependabot-core#5464

---

Example of previous behavior that worked

• Step 1 - The build triggered by dependabot would fail https://github.com/web-platform-tests/wpt.fyi/actions/runs/2692971486/attempts/1

  • You can see in the secrets stage that it is missing the GCLOUD_KEY_FILE_JSON secret
  • 

• Step 2 - I re-ran the build. And it worked https://github.com/web-platform-tests/wpt.fyi/actions/runs/2692971486

  • You can see in the secrets stage that the GCLOUD_KEY_FILE_JSON secret is present
  • 

Example of it not working anymore

• Step 1 - Dependabot triggered build doesn't work https://github.com/web-platform-tests/wpt.fyi/actions/runs/2777683418/attempts/1
• Step 2 - Build triggered by me doesn't work either

In the secrets step for both of them, you'll see that the secret is empty

---

Options

• Add the secret with the same name to the secrets for dependabot
  • Con: A malicious dependency update could potentially get the secret. Github Docs about it
  • However - Renonvate currently does the same thing and it has access to the secret. PRs
• Skip the deploy steps (keep the test steps) if it is a dependabot build
  • Con: Stuff going into main could break staging.

[gsnedders]

See also: #3237, #3238, and #3049.