Skip to content

Dependabot Actions troubleshooting suggestions might be insecure #37658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
Marcono1234 opened this issue Apr 20, 2025 · 2 comments
Open
1 task done

Dependabot Actions troubleshooting suggestions might be insecure #37658

Marcono1234 opened this issue Apr 20, 2025 · 2 comments
Labels
content This issue or pull request belongs to the Docs Content team dependabot Content related to Dependabot needs SME This proposal needs review from a subject matter expert

Comments

@Marcono1234
Copy link
Contributor

Marcono1234 commented Apr 20, 2025
edited
Loading

Code of Conduct

What article on docs.github.com is affected?

docs/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md

Lines 7 to 8 in e2f952a

1. You can update your workflows so that they are no longer triggered by {% data variables.product.prodname_dependabot %} using an expression like: `if: github.actor != 'dependabot[bot]'`. For more information, see [AUTOTITLE](/actions/learn-github-actions/expressions).
1. You can modify your workflows to use a two-step process that includes `pull_request_target` which does not have these limitations. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#restrictions-when-dependabot-triggers-events).

What part(s) of the article would you like to see updated?

  • It currently recommends a if: github.actor != 'dependabot[bot]' check
    Maybe (at least for pull requests) it would be safer to use github.event.pull_request.user.login != 'dependabot[bot]'. Otherwise malicious users could abuse this to skip certain workflows, see related https://www.synacktiv.com/publications/github-actions-exploitation-dependabot.
  • It currently suggests using pull_request_target and a "two-step process" without going into detail.
    It might be safer to not recommend pull_request_target (due to its inherent security risks), but rather suggest increasing the permissions and using Dependabot secrets (which is bullet point 3 of that recommendations list, so maybe this point 2 can simply be omitted?).

Additional information

I am not completely sure about the proposed changes, so please let me know if I forget to consider something, or if something I wrote is incorrect.
@Marcono1234 Marcono1234 added the content This issue or pull request belongs to the Docs Content team label Apr 20, 2025
@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Apr 20, 2025
@Sharra-writes
Copy link
Contributor

Thanks so much for opening another issue! I'll get this triaged for review, too.

@Sharra-writes Sharra-writes added dependabot Content related to Dependabot needs SME This proposal needs review from a subject matter expert and removed triage Do not begin working on this issue until triaged by the team labels Apr 21, 2025
@github-actions GitHub Actions
Copy link
Contributor

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
content This issue or pull request belongs to the Docs Content team dependabot Content related to Dependabot needs SME This proposal needs review from a subject matter expert
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Marcono1234 @Sharra-writes and others