Code of Conduct
What article on docs.github.com is affected?
|
1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions). |
|
1. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events). |
What part(s) of the article would you like to see updated?
- It currently recommends a
if: github.actor != 'dependabot[bot]' check
Maybe (at least for pull requests) it would be safer to use github.event.pull_request.user.login != 'dependabot[bot]'. Otherwise malicious users could abuse this to skip certain workflows, see related https://www.synacktiv.com/publications/github-actions-exploitation-dependabot.
- It currently suggests using
pull_request_target and a "two-step process" without going into detail.
It might be safer to not recommend pull_request_target (due to its inherent security risks), but rather suggest increasing the permissions and using Dependabot secrets (which is bullet point 3 of that recommendations list, so maybe this point 2 can simply be omitted?).
Additional information
I am not completely sure about the proposed changes, so please let me know if I forget to consider something, or if something I wrote is incorrect.
Code of Conduct
What article on docs.github.com is affected?
docs/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md
Lines 7 to 8 in e2f952a
What part(s) of the article would you like to see updated?
if: github.actor != 'dependabot[bot]'checkMaybe (at least for pull requests) it would be safer to use
github.event.pull_request.user.login != 'dependabot[bot]'. Otherwise malicious users could abuse this to skip certain workflows, see related https://www.synacktiv.com/publications/github-actions-exploitation-dependabot.pull_request_targetand a "two-step process" without going into detail.It might be safer to not recommend
pull_request_target(due to its inherent security risks), but rather suggest increasing thepermissionsand using Dependabot secrets (which is bullet point 3 of that recommendations list, so maybe this point 2 can simply be omitted?).Additional information
I am not completely sure about the proposed changes, so please let me know if I forget to consider something, or if something I wrote is incorrect.