Closed jameshadfield closed 3 weeks ago
I looked into this (cause I got a Slack notification) and observed that the HEROKU_TOKEN
is resolving to empty:
but is defined as:
which implies to me that either GitHub Actions is experiencing issues resolving secrets (but there's nothing on https://githubstatus.com), or that particular workflow-triggering event precludes access to secrets, possibly because it was a commit/merge by Dependabot.
I suspect we need to configure secrets for Dependabot separately from secrets for GitHub Actions. Even though Actions is running here, it's because of Dependabot.
Ah dependabot doesn't have access
When a Dependabot event triggers a workflow, the only secrets available to the workflow are Dependabot secrets. GitHub Actions secrets are not available. Consequently, you must store any secrets that are used by a workflow triggered by Dependabot events as Dependabot secrets
If you have a workflow that will be triggered by Dependabot and also by other actors, the simplest solution is to store the token with the permissions required in an action and in a Dependabot secret with identical names.
That is a frustrating way to do things.
Added HEROKU_TOKEN_READ_PROTECTED
to dependabot secrets and rerunning the workflow
Thanks all! I figured it was something to do with "environments", and it kinda was but not what GitHub calls "environments".
P.S. There's some Dependabot secrets that we no longer have as actions secrets that we may want to remove
P.S. There's some Dependabot secrets that we no longer have as actions secrets that we may want to remove
The recent CI action failed due to
(and thus correctly wasn't deployed). I re-ran it and it failed again (same error). A run ~20 mintutes previous succeeded.