-
-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot latest change renders this action unusable for public repos #60
Comments
I tried the following methods:
I hope someone can double-check proving I did something wrong. upstream bugs related: |
for (1), I'm seeing the same issue; I haven't checked (2) yet, but if I find time later, I'll check it out and respond here |
for method 1: are you using a PAT? |
@ahmadnassri: I am, with (also, sweet action! I started trying to integrate it yesterday, which seems like bad timing 😆 ) |
This article linked from the announcement suggests a 2-step strategy where the first workflow runs unprivileged and exposes the checked PR as a build artifact, and the second one fetches that artifact and merges the referenced PR. |
after further inspection of recent private repo PRs, it seems the "March 1st" date from the Github article is false ... up-until March 8 things were working fine, only on March 9 did the issues start ... (thanks Github for the misleading info)! this is why I was confused, becuase I saw the article indicating March 1st, and kept an eye on things for that date and ongoing, and everything seems to work fine ... until the 9th! |
@akheron the 2-step strategy is what I called |
@mercuriete: have sample code for that process? |
this code tries to comment a PR inconditionally for me it failed like this (reverse patch): and like this when using secrets: so given that I couldn't make a comment I stop trying using another action. Another problem is: Even if you are successful commenting a PR with the following text "@dependabot merge" TLDR; So even if we could make a comment on a PR the action will fail on main branch. |
alas, there's no sad emoji to respond with |
is this a new behaviour? |
note: it's REALLY hard to test further variations on this .. since anybody got thoughts on testing? |
I've been closing the PRs and using |
I could mimic the behaviour with @ahmadnassri no, It is not a new behaviour. It turns out It wasnt |
If you change your main branch to "main-fake" you can downgrade packages and do whatever you want.... |
ah, good trick |
PSA: I have to start my main work day, which will keep me occupied and away from further trying to debug and address this issue, I appreciate the community's feedback and if ya'll keep testing / trying things, would apprciate if you log them in this issue, so that I can circle back to it. |
Would it be possible to have a scheduled workflow go through all open dependabot PRs and merge the ones that have passed all |
References: - ahmadnassri/action-dependabot-auto-merge#60 - https://securitylab.github.com/research/github-actions-preventing-pwn-requests For public repos it should work, people complain only about private repos, though one wonders if the permissions of PATs are correct.
I don't see why not. They're run on the origin repo, so you'll have the ability to post comments. # Runs on a 1h cron job
first = true
second = true
for dependabot_pr in all_passing_dependabot_prs_sorted_by_oldest_to_newest:
if first:
approve_pr(dependabot_pr)
post_comment("@dependabot merge", dependabot_pr)
first = false
continue
if second:
post_comment("@dependabot rebase", dependabot_pr)
break That way, it carefully merges one at a time and forces a rebase on the "next one". And repeat. (sorry if that comes across as obvious but it's still worth pointing out) |
One thing I don't understand is; why would it be dangerous/insecure for public repos?. I appreciate that you don't want to combine This is what @akheron suggested in this comment: #60 (comment) ...if I understood that correctly. This way you do any Not sure how this relates to the |
PSA: confirmed that |
a side effect: even though switching to that workflow no longer works (because of the secrets thing) and will fail, which makes so now you are faced with the prospect of having to change ALL the other workflows to also run on |
Uh? I don't see that. Either way, I'm going to test simply changing my |
@peterbe: see https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
whatever internal magic (if statements) are doing in github's side to treat it as a fork /shrug |
@peterbe in your case, all workflows seem like they will work if you switch them to |
Sorry. I misinterpreted your sentence. It says they'll be "treated" as if from a fork. |
If there is a problem with rebasing, we could try using on:
pull_request:
types: [synchronize] |
I tried
But it looks like it runs in a different context with limited permissions because I am now seeing the following error:
Build: https://github.com/bennycode/ig-trading-api/pull/176/checks?check_run_id=2645794063 EDIT: I found the solution to my problem. I forgot to run merge-dependencies.yml name: 'Merge Dependencies'
on: [pull_request_target]
jobs:
auto-merge:
runs-on: ubuntu-latest
# Guarantee that commit comes from Dependabot (don't blindly trust external GitHub Actions)
if: github.actor == 'dependabot[bot]'
steps:
- name: 'Checkout repository'
uses: actions/checkout@v2.3.4
- name: 'Automerge dependency updates from Dependabot'
uses: ahmadnassri/action-dependabot-auto-merge@v2.4.0
with:
github-token: ${{ secrets.WEBTEAM_AUTOMERGE_TOKEN }} |
Try using pull_request_target to fix auto-merge. See ahmadnassri/action-dependabot-auto-merge#60
Use pull_request_target to try and fix auto-merge. See ahmadnassri/action-dependabot-auto-merge#60
It seems Fastify has a similar Action which solves the permission access problem via a Github App https://github.com/fastify/github-action-merge-dependabot |
Also getting this for unknown reasons in private repositories. EDIT: ah, seems like pull_request_target works. Would be nice to highlight this in the readme |
Currently broken ahmadnassri/action-dependabot-auto-merge#60
Been struggling with
|
https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
If your workflow needs to have a write token, you can use the
pull_request_target
event; however, this is not viable for public repositories due to security risksI have not seen any success with
pull_request_target
simply because no dependabot PRs has landed on my private repos since I changed to usingpull_request_target
but will update this issue and the README if I can validate them working...pull_request_target
might be acceptable for private repos... but I don't believe that will be good enough for public ones.The text was updated successfully, but these errors were encountered: