You can now delete and restore any package type within GitHub Packages, even publicly visible packages. Any package or package version of yours can now be deleted through the github.com website or REST APIs. The ability to delete any package will help you manage the packages you want to keep in your account. Any package deleted within the last 30 days can also be restored to undo a delete and bring the package back to its original state.
Starting March 1st, 2021 workflow runs that are triggered by Dependabot from
pull_request_review_comment events will be treated as if they were opened from a repository fork. This means they will receive a read-only
GITHUB_TOKEN and will not have access to any secrets available in the repository. This will cause any workflows that attempt to write to the repository to fail.
This change will affect all repositories, both public and private, regardless of how they are configured, and is being made to prevent potentially compromised dependencies from capturing secrets referenced in your workflows.
If your workflow needs to have a write token or access to secrets, you can use the
pull_request_target event; however, please read
Keeping your GitHub Actions and workflows secure: Preventing pwn requests to better understand the risks.