Starting March 1st, 2021 workflow runs that are triggered by Dependabot from push
, pull_request
, pull_request_review
, or pull_request_review_comment
events will be treated as if they were opened from a repository fork. This means they will receive a read-only GITHUB_TOKEN
and will not have access to any secrets available in the repository. This will cause any workflows that attempt to write to the repository to fail.
This change will affect all repositories, both public and private, regardless of how they are configured, and is being made to prevent potentially compromised dependencies from capturing secrets referenced in your workflows.
If your workflow needs to have a write token or access to secrets, you can use the pull_request_target
event; however, please read
Keeping your GitHub Actions and workflows secure: Preventing pwn requests to better understand the risks.