Closed jameshadfield closed 3 weeks ago
tsibley
commented
3 weeks ago I looked into this (cause I got a Slack notification) and observed that the HEROKU_TOKEN is resolving to empty:
but is defined as:
which implies to me that either GitHub Actions is experiencing issues resolving secrets (but there's nothing on https://githubstatus.com), or that particular workflow-triggering event precludes access to secrets, possibly because it was a commit/merge by Dependabot.
tsibley
commented
3 weeks ago I suspect we need to configure secrets for Dependabot separately from secrets for GitHub Actions. Even though Actions is running here, it's because of Dependabot.
joverlee521
commented
3 weeks ago Ah dependabot doesn't have access
When a Dependabot event triggers a workflow, the only secrets available to the workflow are Dependabot secrets. GitHub Actions secrets are not available. Consequently, you must store any secrets that are used by a workflow triggered by Dependabot events as Dependabot secrets
tsibley
commented
3 weeks ago tsibley
commented
3 weeks ago If you have a workflow that will be triggered by Dependabot and also by other actors, the simplest solution is to store the token with the permissions required in an action and in a Dependabot secret with identical names.
That is a frustrating way to do things.
joverlee521
commented
3 weeks ago Added HEROKU_TOKEN_READ_PROTECTED to dependabot secrets and rerunning the workflow
jameshadfield
commented
3 weeks ago Thanks all! I figured it was something to do with "environments", and it kinda was but not what GitHub calls "environments".
P.S. There's some Dependabot secrets that we no longer have as actions secrets that we may want to remove
victorlin
commented
3 weeks ago P.S. There's some Dependabot secrets that we no longer have as actions secrets that we may want to remove
The recent CI action failed due to
(and thus correctly wasn't deployed). I re-ran it and it failed again (same error). A run ~20 mintutes previous succeeded.