wpt.fyi
wpt.fyi copied to clipboard
web-platform-tests
Dependabot can't read repo secrets upon manual retry anymore
Previously when dependabot created a PR, it would fail on the deploy to staging part because it could not access the gcloud secret. (Reasons why this happens 1 & 2). As a workaround, a developer with access to the repository could re-run the job. The job would succeed because it used the permissions of the person re-running the pipeline (which had access to the secrets). This is no longer the case. Seems like a new thing that occurred: https://github.com/dependabot/dependabot-core/issues/5464
Example of previous behavior that worked
-
Step 1 - The build triggered by dependabot would fail https://github.com/web-platform-tests/wpt.fyi/actions/runs/2692971486/attempts/1
- You can see in the
secretsstage that it is missing theGCLOUD_KEY_FILE_JSONsecret 
- You can see in the
-
Step 2 - I re-ran the build. And it worked https://github.com/web-platform-tests/wpt.fyi/actions/runs/2692971486
- You can see in the
secretsstage that theGCLOUD_KEY_FILE_JSONsecret is present 
- You can see in the
Example of it not working anymore
- Step 1 - Dependabot triggered build doesn't work https://github.com/web-platform-tests/wpt.fyi/actions/runs/2777683418/attempts/1
- Step 2 - Build triggered by me doesn't work either
In the secrets step for both of them, you'll see that the secret is empty
Options
- Add the secret with the same name to the secrets for dependabot
- Con: A malicious dependency update could potentially get the secret. Github Docs about it
- However - Renonvate currently does the same thing and it has access to the secret. PRs
- Skip the deploy steps (keep the test steps) if it is a dependabot build
- Con: Stuff going into main could break staging.
