Skip to content

Commit 6a66c1b

Browse files
sami-alajramisami-alajrami
authored
Fix Dependabot PRs failing due to missing secrets (#697)
* Fix Dependabot PRs failing due to missing secrets Problem Dependabot PRs were triggering the Main workflow via the push event, but GitHub withholds repository secrets from Dependabot-initiated runs. This caused jobs requiring secrets (tests, Snyk scans, Kosli reporting) to fail, blocking the PRs from being merged. Solution Dependabot branches are excluded from the push trigger. Instead, a pull_request_target trigger handles Dependabot PRs — this event runs in the context of the base branch and has full access to repository secrets. A guard (github.actor == 'dependabot[bot]') ensures the secrets-bearing path is only reachable by Dependabot, not arbitrary external PRs. A checkout_ref input is threaded through all reusable workflows so each job checks out the PR head commit rather than the base branch. * upgrade all remaining actions/checkout to v6 * checkout the correct ref in pre-build to avoid confusion/errors in the future
1 parent 43b1fae commit 6a66c1b

12 files changed

Lines changed: 60 additions & 24 deletions

.github/workflows/binary_provenance.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434
matrix:
3535
artifact: ${{fromJson(inputs.artifacts)}}
3636
steps:
37-
- uses: actions/checkout@v4
37+
- uses: actions/checkout@v6
3838

3939
- uses: actions/download-artifact@v4
4040
with:

.github/workflows/daily-cli-tests.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ jobs:
1111
outputs:
1212
trail_name: ${{ steps.prep.outputs.trail_name }}
1313
steps:
14-
- uses: actions/checkout@v4
14+
- uses: actions/checkout@v6
1515

1616
- name: Prepare
1717
id: prep

.github/workflows/docker.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,10 @@ on:
2121
kosli_org:
2222
required: true
2323
type: string
24+
checkout_ref:
25+
required: false
26+
type: string
27+
default: ''
2428
secrets:
2529
slack_channel:
2630
required: true
@@ -50,9 +54,10 @@ jobs:
5054
packages: write
5155

5256
steps:
53-
- uses: actions/checkout@v4
57+
- uses: actions/checkout@v6
5458
with:
5559
fetch-depth: 3
60+
ref: ${{ inputs.checkout_ref || github.sha }}
5661

5762
- uses: actions/setup-go@v5
5863
with:

.github/workflows/helm-chart.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ jobs:
2323
app-id: ${{ vars.CI_SIGNED_COMMIT_APP_ID }}
2424
private-key: ${{ secrets.CI_SIGNED_COMMIT_APP_PRIVATE_KEY }}
2525

26-
- uses: actions/checkout@v4
26+
- uses: actions/checkout@v6
2727
with:
2828
token: ${{ steps.generate_token.outputs.token }}
2929
fetch-depth: 0

.github/workflows/init_kosli.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,10 @@ on:
1515
kosli_org:
1616
required: true
1717
type: string
18+
checkout_ref:
19+
required: false
20+
type: string
21+
default: ''
1822
secrets:
1923
kosli_api_token:
2024
required: true
@@ -31,9 +35,10 @@ jobs:
3135
pull-requests: read
3236
steps:
3337

34-
- uses: actions/checkout@v4
38+
- uses: actions/checkout@v6
3539
with:
3640
fetch-depth: 0
41+
ref: ${{ inputs.checkout_ref || github.sha }}
3742

3843
- name: setup-kosli-cli
3944
uses: kosli-dev/setup-cli-action@v2

.github/workflows/main.yml

Lines changed: 21 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,34 +2,46 @@ name: Main
22

33
on:
44
push:
5-
branches:
6-
- "**"
5+
branches-ignore:
6+
- "dependabot/**"
7+
pull_request_target:
8+
types: [opened, synchronize, reopened]
79

810
concurrency:
9-
group: ${{ github.workflow }}-${{ github.ref }}
11+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
1012

1113
jobs:
1214
pre-build:
15+
if: github.event_name == 'push' || github.actor == 'dependabot[bot]'
1316
runs-on: ubuntu-latest
1417
outputs:
1518
tag: ${{ steps.prep.outputs.tag }}
1619
trail_name: ${{ steps.prep.outputs.trail_name }}
1720
trail_template_file: ${{ steps.prep.outputs.trail_template_file }}
21+
checkout_ref: ${{ steps.prep.outputs.checkout_ref }}
1822
steps:
19-
- uses: actions/checkout@v4
23+
- uses: actions/checkout@v6
24+
with:
25+
ref: ${{ github.event.pull_request.head.sha || github.sha }}
2026

2127
- name: Prepare
2228
id: prep
2329
run: |
24-
TAG=$(echo $GITHUB_SHA | head -c7)
30+
if [ "${{ github.event_name }}" == "pull_request_target" ]; then
31+
SHA=${{ github.event.pull_request.head.sha }}
32+
else
33+
SHA=$GITHUB_SHA
34+
fi
35+
TAG=$(echo $SHA | head -c7)
2536
echo "TAG=${TAG}" >> ${GITHUB_ENV}
2637
echo "tag=$TAG" >> $GITHUB_OUTPUT
38+
echo "checkout_ref=$SHA" >> $GITHUB_OUTPUT
2739
2840
if [ "${GITHUB_REF}" == refs/tags/* ]; then
2941
TRAIL_NAME=${GITHUB_REF##refs/tags/}
3042
TRAIL_TEMPLATE_FILE=release-flow-template.yml
3143
else
32-
TRAIL_NAME=$(echo $GITHUB_SHA | head -c 7)
44+
TRAIL_NAME=$(echo $SHA | head -c 7)
3345
TRAIL_TEMPLATE_FILE=main-flow-template.yml
3446
fi
3547
echo "TRAIL_NAME=${TRAIL_NAME}" >> $GITHUB_ENV
@@ -46,6 +58,7 @@ jobs:
4658
TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }}
4759
FLOW_TEMPLATE_FILE: ${{ needs.pre-build.outputs.trail_template_file }}
4860
KOSLI_ORG: kosli-public
61+
checkout_ref: ${{ needs.pre-build.outputs.checkout_ref }}
4962
secrets:
5063
kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }}
5164
pr_github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -59,6 +72,7 @@ jobs:
5972
FLOW_NAME: cli
6073
TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }}
6174
KOSLI_ORG: kosli-public
75+
checkout_ref: ${{ needs.pre-build.outputs.checkout_ref }}
6276
secrets:
6377
github_access_token: ${{ secrets.KOSLI_GITHUB_TOKEN }}
6478
gitlab_access_token: ${{ secrets.KOSLI_GITLAB_TOKEN }}
@@ -83,6 +97,7 @@ jobs:
8397
flow_name: cli
8498
trail_name: ${{ needs.pre-build.outputs.trail_name }}
8599
kosli_org: kosli-public
100+
checkout_ref: ${{ needs.pre-build.outputs.checkout_ref }}
86101
secrets:
87102
slack_webhook: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }}
88103
slack_channel: ci-failures

.github/workflows/never_alone_trail.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ jobs:
4040
pull-requests: read
4141
steps:
4242

43-
- uses: actions/checkout@v4
43+
- uses: actions/checkout@v6
4444
with:
4545
fetch-depth: 0
4646

.github/workflows/publish_branch_docs.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ jobs:
1010
publish:
1111
runs-on: ubuntu-latest
1212
steps:
13-
- uses: actions/checkout@v4
13+
- uses: actions/checkout@v6
1414

1515
- name: Generate json
1616
run: |

.github/workflows/publish_docs.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
publish:
1515
runs-on: ubuntu-latest
1616
steps:
17-
- uses: actions/checkout@v4
17+
- uses: actions/checkout@v6
1818

1919
# Deploy to local repo
2020
- name: Deploy

.github/workflows/release.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
trail_name: ${{ steps.prep.outputs.trail_name }}
2020
trail_template_file: ${{ steps.prep.outputs.trail_template_file }}
2121
steps:
22-
- uses: actions/checkout@v4
22+
- uses: actions/checkout@v6
2323

2424
- name: Get tag
2525
id: tag
@@ -111,7 +111,7 @@ jobs:
111111
artifacts: ${{ steps.prepare-artifacts-list.outputs.artifacts }}
112112
steps:
113113
- name: Checkout
114-
uses: actions/checkout@v4
114+
uses: actions/checkout@v6
115115
with:
116116
fetch-depth: 0
117117

@@ -200,7 +200,7 @@ jobs:
200200
runs-on: ubuntu-latest
201201
steps:
202202
- name: Checkout
203-
uses: actions/checkout@v4
203+
uses: actions/checkout@v6
204204
with:
205205
fetch-depth: 0 # needed to be able to generate legacy versions reference.
206206

0 commit comments

Comments
 (0)