github
Dependabot `GITHUB_TOKEN` permissions & secret access is contradicting / incomplete
Code of Conduct
- [x] I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
There are multiple parts of the documentation which say that Dependabot workflow runs act as if they are from a forked repository and therefore have limited privileges.
However, the documentation seems to be incomplete / contradicting:
- Some parts say that the token is read-only and there is no access to secrets
- https://github.com/github/docs/blob/e2f952a115fc4cb3d34281b1fa472ac3cd33e7da/data/reusables/actions/workflow-runs-dependabot-note.md
- https://github.com/github/docs/blob/e2f952a115fc4cb3d34281b1fa472ac3cd33e7da/data/reusables/developer-site/pull_request_forked_repos_link.md#L17-L18
- Some mention that the permissions can be increased, and secrets can be made accessible (but without
linking to the relevant documentation)
- https://github.com/github/docs/blob/e2f952a115fc4cb3d34281b1fa472ac3cd33e7da/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md?plain=1#L9
- https://github.com/github/docs/blame/e2f952a115fc4cb3d34281b1fa472ac3cd33e7da/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md#L26-L31 (it is actually explained further down in the same document, but maybe it would be useful to directly link there?)
- GitHub enterprise has dedicated section which suggests changing configs
- https://github.com/github/docs/blob/e2f952a115fc4cb3d34281b1fa472ac3cd33e7da/content/admin/managing-github-actions-for-your-enterprise/advanced-configuration-and-troubleshooting/troubleshooting-github-actions-for-your-enterprise.md?plain=1#L71 (is this really needed or does the github.com approach work for enterprises as well and should be preferred because it is safer?)
The only sections which actually provide detailed information seem to be:
- Section about Dependabot secrets https://github.com/github/docs/blame/e2f952a115fc4cb3d34281b1fa472ac3cd33e7da/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md#L45
- Section about how to increase
permissionshttps://github.com/github/docs/blame/e2f952a115fc4cb3d34281b1fa472ac3cd33e7da/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md#L81
What part(s) of the article would you like to see updated?
- If possible please consolidate the information
- Remove contradictions
- Add links so that the sections not only say "you can increase permissions, you can access secrets", but also link to the relevant sections about how to do it
- Document the security concerns / the rationale why the token has read-only permissions by default and why there are dedicated Dependabot secrets, so that users are hopefully careful with changing this
Additional information
No response
Thanks so much for opening an issue! I'll get this triaged for review.
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert :eyes:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@Marcono1234 Hi! I've have some SMEs who have been looking through your issues/PRs and I do need to follow up with them to see if they have anything to tell me, but this PR was just opened and merged today, and I don't know if it's related to/addresses any of your concerns. If you would be willing to take a look and let me know, that would be amazing. If not, that's fine, I'll ask around. It's just crazy with Build right now, and I don't know if anyone has the bandwidth to answer my questions.
Thanks for following up on this! The PR you mentioned does not seem to be directly related to the issue here.
It's just crazy with Build right now, and I don't know if anyone has the bandwidth to answer my questions.
No problem!
@Marcono1234 Thank you! 💛 I know at least one member of the Dependabot team went to Build, but I'll see if anyone who answered my initial question about these issues is around this week. 🤞
Thanks @Marcono1234 for raising this! I see you've also opened a related PR—adding it here for visibility:
- https://github.com/github/docs/pull/37733
Thanks so much for opening an issue! I'll get this triaged for review.
Hello
Hello Github/Docs please say yes to verify
On Sun, Jun 15, 2025, 6:34 AM simonfundz @.***> wrote:
simonfundz left a comment (github/docs#37657) https://github.com/github/docs/issues/37657#issuecomment-2973294601
Thanks so much for opening an issue! I'll get this triaged for review.
Hello
— Reply to this email directly, view it on GitHub https://github.com/github/docs/issues/37657#issuecomment-2973294601, or unsubscribe https://github.com/notifications/unsubscribe-auth/A7T2TZK6OS6Z6WW6G36BP4D3DSPQ3AVCNFSM6AAAAAB3QHFDRWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDSNZTGI4TINRQGE . You are receiving this because you are subscribed to this thread.Message ID: @.***>
This is a gentle bump for the docs team that this issue is waiting for technical review.
😁
Le lun. 14 juill. 2025, à 12 h 38, github-actions[bot] < @.***> a écrit :
github-actions[bot] left a comment (github/docs#37657) https://github.com/github/docs/issues/37657#issuecomment-3070220688
This is a gentle bump for the docs team that this issue is waiting for technical review.
— Reply to this email directly, view it on GitHub https://github.com/github/docs/issues/37657#issuecomment-3070220688, or unsubscribe https://github.com/notifications/unsubscribe-auth/BF2FVNXM62YKULKJMRDGQZT3IPMJFAVCNFSM6AAAAAB3QHFDRWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTANZQGIZDANRYHA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
This is a gentle reminder for the docs team that this issue is waiting for technical review by a subject matter expert (SME).
This is a gentle reminder for the docs team that this issue is waiting for technical review by a subject matter expert (SME).