Skip to content

Dependabot Actions troubleshooting suggestions might be insecure #37658

New issue
New issue
Open
Open
Dependabot Actions troubleshooting suggestions might be insecure#37658
Labels
contentThis issue or pull request belongs to the Docs Content teamdependabotContent related to Dependabotneeds SMEThis proposal needs review from a subject matter expertnever-staleDo not close as stale
@Marcono1234

Description

@Marcono1234
Marcono1234
opened on Apr 20, 2025

Code of Conduct

What article on docs.github.com is affected?

docs/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md

Lines 7 to 8 in e2f952a

1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions).
1. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events).

What part(s) of the article would you like to see updated?

  • It currently recommends a if: github.actor != 'dependabot[bot]' check
    Maybe (at least for pull requests) it would be safer to use github.event.pull_request.user.login != 'dependabot[bot]'. Otherwise malicious users could abuse this to skip certain workflows, see related https://www.synacktiv.com/publications/github-actions-exploitation-dependabot.
  • It currently suggests using pull_request_target and a "two-step process" without going into detail.
    It might be safer to not recommend pull_request_target (due to its inherent security risks), but rather suggest increasing the permissions and using Dependabot secrets (which is bullet point 3 of that recommendations list, so maybe this point 2 can simply be omitted?).

Additional information

I am not completely sure about the proposed changes, so please let me know if I forget to consider something, or if something I wrote is incorrect.

Metadata

Metadata

Assignees

No one assigned

    Labels

    contentThis issue or pull request belongs to the Docs Content teamdependabotContent related to Dependabotneeds SMEThis proposal needs review from a subject matter expertnever-staleDo not close as stale

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions