How to use dependabot secrets in GitHub CI workflow

Question

I have a NPM_AUTH_TOKEN secret which was originally stored in my actions secrets which doesn't seem to be accessible by dependabot when it automatically opens a PR.

I have now copied this secret into Dependabot Secrets. Do I need to change anything in my CI so that it can access it?

- name: Authenticate with Github Package Registry
  run:
    npm config set '//npm.pkg.github.com/:_authToken' "${NPM_AUTH_TOKEN}"
  env:
    NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}

The above action is run by both PR's opened by developers as well as dependabot. Will secrets.NPM_AUTH_TOKEN be the value from Actions Secrets when opened by a developer and then be the value from Dependabot Secrets when opened by Dependabot?

score 4 · Answer 1 · answered Apr 19 '22 at 20:58

github secrets are managed separately between actions, codespaces, and dependabot. You will need to set the same NPM_AUTH_TOKEN for dependabot, and then you can use it for both regular action run and the dependabot PRs.

You can check the secrets that dependabot can see by running gh secret list --app dependabot inside repo.

How to use dependabot secrets in GitHub CI workflow

1 Answers1