Git cloning from private repos fails in dependabot triggered workflows

mctools / simplebuild-dgcode

dgcode: the Geant4-based simulation framework of the ESS Detector Group. Provided as simple-build-system bundles.

https://mctools.github.io/simplebuild-dgcode/

Other

2 stars 1 forks source link

Git cloning from private repos fails in dependabot triggered workflows #40

Closed tkittel closed 6 months ago

tkittel commented 6 months ago

Git cloning from private repos fails in dependabot triggered workflows, as explained here:

https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets

First of all, we should add a proper check to the relevant workflows to verify that the token is nonempty.

Secondly, we can either just live with this, or we can add the same tokens also as an identically named dependabot secret.

tkittel commented 6 months ago

So I have first of all improved the error message one gets if the tokens are not actually set in a given workflow execution, to avoid thinking this is an issue with the remote server.

Secondly, I have tried to add specific (and similarly named) tokens for the dependabot, so hopefully the issue won't be there anymore (except that all the tokens have to be updated yearly...).

tkittel commented 6 months ago

I think this is fixed. If the next dependabot PR shows otherwise, I will reopen.