Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Dependabot latest change renders this action unusable for public repos
See original GitHub issueStarting March 1st, 2021 workflow runs that are triggered by a pull request from Dependabot will be treated as if they were opened from a repository fork. This means they will receive a read-only
GITHUB_TOKENand will not have access to any secrets available in the repository. This will cause any workflows that attempt to write to the repository to fail.
If your workflow needs to have a write token, you can use the pull_request_target event; however, this is not viable for public repositories due to security risks
I have not seen any success with pull_request_target simply because no dependabot PRs has landed on my private repos since I changed to using pull_request_target but will update this issue and the README if I can validate them working…
pull_request_target might be acceptable for private repos… but I don’t believe that will be good enough for public ones.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:8
- Comments:55 (14 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
PSA: I have to start my main work day, which will keep me occupied and away from further trying to debug and address this issue, I appreciate the community’s feedback and if ya’ll keep testing / trying things, would apprciate if you log them in this issue, so that I can circle back to it.
Also getting this for unknown reasons in private repositories.
EDIT: ah, seems like pull_request_target works. Would be nice to highlight this in the readme