Skip to content

GitHub Actions: Workflows triggered by Dependabot PRs will respect permissions key in workflows

In March we made a change in GitHub Actions that forced workflows triggered by Dependabot to run with a read-only token. This change was made to protect your repositories from potentially malicious dependencies in the same way we prevent pull requests from forks from having privileged access to your repository. We received a lot of feedback from you on how this impacted your workflows and while it was great to be in a safe configuration by default, you wanted to have the option to continue working as you had prior to this change.

In April we introduced the permissions key in the Actions workflow config which enables you to control which permissions are given to a particular workflow or job.

Starting October 11, 2021 workflow runs on push and pull_request events triggered by Dependabot will begin to respect the permissions specified in your workflows putting you back in control of how you manage automatic dependency updates. The default token permissions will remain read-only.

In addition to the permissions change we are working to enable workflows triggered by Dependabot to use Dependabot secrets. This change will enable you to use those secrets to pull dependencies from private repositories.

Learn more about the permissions key in Actions workflows

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

Organization owners on and GitHub Enterprise Cloud can now export a list of the organization's members in JSON or CSV format, through the 'Export' button on the People tab at<organization>/people.

Export organization members button

See more

The Codes of Conduct API preview, which was accessible with the scarlet-witch-preview header, is being deprecated.

On December 6th, 2021, the fields behind this API preview will no longer be accessible. We recommend using the Get community profile metrics endpoint to retrieve information about a repository's code of conduct.

Email notifications will be sent to active users of the API preview throughout the deprecation period.

If you have any questions, please contact GitHub Support.

See more