-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot pull requests fail on repositories with maven-dependency-submission action #17
Comments
Dependabot PRs are handled like PRs from forked repositories. Therefore the workflow's # The API requires write permission on the repository to submit dependencies
permissions:
contents: write |
Thank you @cmergenthaler ; that solved the problem for me. Your tip should be added to the README of this repo |
This fixes advanced-security#17 It works for me like this, see https://github.com/MariaDB4j/MariaDB4j/pull/759/files
BTW: I dont think giving write permission is something you should document. In fact I think the template should instead contain a conditional to not run the actvitiy on PRs (or not run it if it has no token permission) or run it but not fail the post. |
If you intend to not run this snapshot submission on Dependabot PRs ( to avoid granting write permissions when pulling in new potentially untrusted dependency versions ) - this is the prescribed methodology: if: github.actor != 'dependabot[bot]' Feedback for this repo: https://github.com/actions/starter-workflows/blob/main/ci/maven.yml |
The github.actor is interesting, but is this the right condition? After all non-dependabot pull requests would pass, and those are the ones i dont want to have a write token. But I agree, A example condition really should be inside the template because it really encourages insecure practice. The number of places people recommend to use write tokens is insane. I am currently using:
This way I can also turn it off, when it is broken again :) |
Sure, you are absolutely right to have concern about what a 3rd party/dependency may have the ability to do with a write token! It is unfortunate that this api is guarded by writing contents instead of a fine-grained permission unto itself. This issue OP created was around dependabot failing so that is what my response was targeted at - as needed, you could implement any logic to guard this or continue on failure.
Note that if you use the This is a starter template so there is limited depth in those - agreed on they should be using secure practices 💟. I have proposed to split the suggested starter workflow into distinct jobs for maven build vs submit dependency graph snapshot to enforce a least privilege model here (dependabot being one of the scenarios where this fails): actions/starter-workflows#2338 |
The action could also just skip itself if it has no write token. Instead of failing just log a warning. Then it needs no further if. or, can you check in a „if“ the token role, then you could put that in the starter template as a skip condition. The starter template must not be ready for all eventualities, but at least it should not fail by default when the user enables recommended bots. (Having said that, your suggested if is only half bad :) |
When creating a new workflow using the suggested "Java with Maven" it includes the maven dependancy submission action.
For example:
However if dependabot is enabled for the repository then when dependabot opens a pull request the action fails with the following error:
I am not sure if this is a bug or a configuration issue. Any advice gratefully received.
The text was updated successfully, but these errors were encountered: