Re-run dependabot workflows as another actor

[gesellix]

With the recent change announced at https://github.blog/changelog/2022-07-19-differentiating-triggering-actor-from-executing-actor/ I'm not able to re-run dependabot pull requests as myself. I ususally have to re-run workflows, because dependabot isn't allowed to access secrets required for the workflows. Re-running them as myself enables access to the secrets. I'm aware that such a manual intervention isn't ideal by itself, but I at least I could fix failing workflows with a simple re-run.

Since the change mentioned above became effective, I don't see another way but manually changing the pull request, mangling with the commits or adding some, so that I would be the actor. This doesn't feel right, so I'd like to ask for some advice how I would easily make the workflows work. I've found https://github.com/orgs/community/discussions/5269 as a possible workaround, but I'm curious to know whether there are better solutions.

Maybe an option to choose the desired actor would be nice. By default it can be kept just as is (the initial actor), but I should be able to choose myself as actual actor for the re-run so that I could manually fall back to the previous behaviour.

[178inaba]

hello!

There is a place to set the Secret for Dependabot in the Repository Settings.
If you create a Secret with the same name and value as the Actions, Dependabot can access the Secret and the job will succeed.

[178inaba]

yes. My understanding is that you need to set two secrets, one for when the user triggers the Actions, and one for the Dependabot to use when the Actions are triggered.

[gesellix]

As far as I understood, those secrets for dependabot will be available in the dependabot config, only: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/managing-encrypted-secrets-for-dependabot
@178inaba did you give that configuration a try and made dependabot-created pull-requests work in a github actions workflow on the initial run?

[178inaba]

yes.
Actions were failing in pull requests made by Dependabot in my repository.
But by setting Secret for Dependabot, Actions succeeded.

[178inaba]

See this document.
https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets

[gesellix]

Finally coming back to this one. You're right, thanks @178inaba for the feedback and the links to the documentation!