Skip to content

GitHub Actions: Workflows triggered by Dependabot PRs will run with read-only permissions

Starting March 1st, 2021 workflow runs that are triggered by Dependabot from push, pull_request, pull_request_review, or pull_request_review_comment events will be treated as if they were opened from a repository fork. This means they will receive a read-only GITHUB_TOKEN and will not have access to any secrets available in the repository. This will cause any workflows that attempt to write to the repository to fail.

This change will affect all repositories, both public and private, regardless of how they are configured, and is being made to prevent potentially compromised dependencies from capturing secrets referenced in your workflows.

If your workflow needs to have a write token or access to secrets, you can use the pull_request_target event; however, please read
Keeping your GitHub Actions and workflows secure: Preventing pwn requests
to better understand the risks.

For questions, visit the GitHub Actions community

To see what’s next for Actions, visit our public roadmap

You can now delete and restore any package type within GitHub Packages, even publicly visible packages. Any package or package version of yours can now be deleted through the website or REST APIs. The ability to delete any package will help you manage the packages you want to keep in your account. Any package deleted within the last 30 days can also be restored to undo a delete and bring the package back to its original state.

Learn more about deleting and restoring packages and Packages REST APIs

For questions, visit the GitHub Packages community

To see what's next for Packages, visit our public roadmap

See more