Ahmad Nassri
Ahmad Nassri
PSA: confirmed that `pull_request_target` + PAT works fine for private repos. I got a wave of dependabot PRs come in over night and they all worked after switching to `pull_request_target`...
a side effect: even though switching to `pull_request_target` for this action works, since dependabot now makes its PRs are treated as a fork, you might have _other_ workflows that end...
@peterbe: see https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/ > "a pull request from Dependabot will be treated as if they were opened from a repository fork." whatever internal magic _(if statements)_ are doing in github's...
@peterbe in your case, all workflows seem like they will work if you switch them to `pull_request_target`, except for lighthouse / performance workflow since it needs a secret .. (`secrets.LHCI_GITHUB_APP_TOKEN`)...
> Sorry. I misinterpreted your sentence. It says they'll be "treated" as if from a fork. you did not misinterpret :smile: , I originally typed "from a fork" then I...
@mercuriete same as before `repo:push`
@EricHaggar are there any other limits on this repo? perhaps branch protections (as the error seems to indicate)? these are all helpful information, I'm compiling a list of "gotchas" to...
@EricHaggar you need the personal access token (which belongs to a GitHub user) to have the permission, not dependabot itself
asking @ttshivers @leblancfg @AlCalzone for feedback on this breaking change, as you've all helped contribute and shape this action :)
FYI: I'm holding this release back as GH Actions has showed issue with version fixing on docker based actions ... for tracking: https://github.com/github/super-linter/issues/943