Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Latest Dependabot Security Update broke this action
See original GitHub issue@dependabot merge command is now broken https://github.com/dependabot/dependabot-core/issues/3253
The issue is dependabot cannot access secrets when using pull_request event, but it works when we use pull_request_target.
But unfortunately, the merge commit created by the command @dependabot merge doesn’t have access to secrets that break main branch checks.
My proposal would be to edit this action to support the workflow_run event as per described in https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-852541544 to ensure all checks are passing then to merge using gh pr merge --auto --merge "$PR_URL" instead of adding a @dependabot merge comment.
Another solution would be to customise the @dependabot to @bot for example so we can add additional action which will do the merge once we get the comment event.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
no longer using the
@dependabot mergecommand, rather replicate the behaviour by using the PAT to wait for workflows to complete on a PR, then do the merge using PAT.I’m currently writing more tests to get more coverage of edge cases.
@ahmadnassri do you have any update on this?