Skip to content

Dependabot Actions troubleshooting suggestions might be insecure #37658

New issue
New issue
Open
Open
Dependabot Actions troubleshooting suggestions might be insecure#37658
Labels
contentThis issue or pull request belongs to the Docs Content teamdependabotContent related to Dependabotneeds SMEThis proposal needs review from a subject matter expert
@Marcono1234

Description

@Marcono1234
Marcono1234
opened on Apr 20, 2025

Code of Conduct

  • I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

docs/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md

Lines 7 to 8 in e2f952a

1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions).
1. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events).

What part(s) of the article would you like to see updated?

  • It currently recommends a if: github.actor != 'dependabot[bot]' check
    Maybe (at least for pull requests) it would be safer to use github.event.pull_request.user.login != 'dependabot[bot]'. Otherwise malicious users could abuse this to skip certain workflows, see related https://www.synacktiv.com/publications/github-actions-exploitation-dependabot.
  • It currently suggests using pull_request_target and a "two-step process" without going into detail.
    It might be safer to not recommend pull_request_target (due to its inherent security risks), but rather suggest increasing the permissions and using Dependabot secrets (which is bullet point 3 of that recommendations list, so maybe this point 2 can simply be omitted?).

Additional information

I am not completely sure about the proposed changes, so please let me know if I forget to consider something, or if something I wrote is incorrect.

Activity

Marcono1234
added
contentThis issue or pull request belongs to the Docs Content team
on Apr 20, 2025
github-actions
added
triageDo not begin working on this issue until triaged by the team
on Apr 20, 2025
Sharra-writes

Sharra-writes commented on Apr 21, 2025

@Sharra-writes
Sharra-writes
on Apr 21, 2025
Contributor

Thanks so much for opening another issue! I'll get this triaged for review, too.

Sharra-writes
added
dependabotContent related to Dependabot
needs SMEThis proposal needs review from a subject matter expert
and removed
triageDo not begin working on this issue until triaged by the team
on Apr 21, 2025
github-actions

github-actions commented on Apr 21, 2025

@github-actions
github-actions
on Apr 21, 2025
Contributor

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

rohitkuril

rohitkuril commented on May 4, 2025

@rohitkuril
rohitkuril
on May 4, 2025 · Hidden as spam
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    contentThis issue or pull request belongs to the Docs Content teamdependabotContent related to Dependabotneeds SMEThis proposal needs review from a subject matter expert

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Dependabot Actions troubleshooting suggestions might be insecure · Issue #37658 · github/docs