Github Repository Secret in Workflow for automating dependacy auto merge

Question

Trying to automate merges of dependabot PR´s in Github and wrote the workflow as in this guide, https://github.com/marketplace/actions/dependabot-auto-merge except for the token name.

As token i have created a personal access token and then added the token as a secret named MY_SECRET in the repository.

This is my workflow template:

name: Dependabot auto-approve
on: pull_request

permissions:
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Approve a PR
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
  auto-merge:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: ahmadnassri/action-dependabot-auto-merge@v2
        with:
          target: minor
          github-token: ${{ secrets.MY_TOKEN }}

And the auto-merge job fails. When I use ${{ secrets.MY_TOKEN }}, or leave an empty string, then I get the error:

throw new Error(`Input required and not supplied: ${name}`);

If I replace the ${{ secrets.MY_TOKEN }} with any random string value, then I get invalid credentials response.

Based on this my conclusion is that the secret is not provided. I just cannot figure out why.

I read some issues with having reusable workflows, but I am not sure if this count as one.

Answer 1

After continuing the investigation I found out that repository secrets under the Actions tab is not accessable during pull request pipeline executions.

There is a specific tab for dependabot pipelines that can store secrets encrypted as well. This is only accessable by dependabot pull request pipelines.