Dependabot Actions troubleshooting suggestions might be insecure · Issue #37658 · github/docs · GitHub | Latest TMZ Celebrity News & Gossip | Watch TMZ Live
Skip to content

Dependabot Actions troubleshooting suggestions might be insecure #37658

New issue
New issue
Open
Open
Dependabot Actions troubleshooting suggestions might be insecure#37658
Labels
contentThis issue or pull request belongs to the Docs Content teamdependabotContent related to Dependabotneeds SMEThis proposal needs review from a subject matter expertnever-staleDo not close as stale
@Marcono1234

Description

@Marcono1234
Marcono1234
opened on Apr 20, 2025

Code of Conduct

What article on docs.github.com is affected?

docs/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md

Lines 7 to 8 in e2f952a

1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions).
1. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events).

What part(s) of the article would you like to see updated?

  • It currently recommends a if: github.actor != 'dependabot[bot]' check
    Maybe (at least for pull requests) it would be safer to use github.event.pull_request.user.login != 'dependabot[bot]'. Otherwise malicious users could abuse this to skip certain workflows, see related https://www.synacktiv.com/publications/github-actions-exploitation-dependabot.
  • It currently suggests using pull_request_target and a "two-step process" without going into detail.
    It might be safer to not recommend pull_request_target (due to its inherent security risks), but rather suggest increasing the permissions and using Dependabot secrets (which is bullet point 3 of that recommendations list, so maybe this point 2 can simply be omitted?).

Additional information

I am not completely sure about the proposed changes, so please let me know if I forget to consider something, or if something I wrote is incorrect.

Metadata

Metadata

Assignees

No one assigned

    Labels

    contentThis issue or pull request belongs to the Docs Content teamdependabotContent related to Dependabotneeds SMEThis proposal needs review from a subject matter expertnever-staleDo not close as stale

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      TMZ Celebrity News – Breaking Stories, Videos & Gossip

      Looking for the latest TMZ celebrity news? You've come to the right place. From shocking Hollywood scandals to exclusive videos, TMZ delivers it all in real time.

      Whether it’s a red carpet slip-up, a viral paparazzi moment, or a legal drama involving your favorite stars, TMZ news is always first to break the story. Stay in the loop with daily updates, insider tips, and jaw-dropping photos.

      🎥 Watch TMZ Live

      TMZ Live brings you daily celebrity news and interviews straight from the TMZ newsroom. Don’t miss a beat—watch now and see what’s trending in Hollywood.