Dependabot can not access the secrets

[liangyuanpeng]

What would you like to be added:

/assign

I really tested the dependabot on my fork, and skiped some CI due to if: ${{ github.repository == 'karmada-io/karmada' }}.

Now, have two case need to resolve,

FOSSA failed

karmada/.github/workflows/fossa.yml

Line 18 in ff7322a

api-key: ${{secrets.FOSSA_API_KEY}}

It can be resolved by add a secrets of dependabot. cc @RainbowMango

upload sarif to codeql failed

karmada/.github/workflows/ci-image-scanning.yaml

Lines 47 to 50 in ff7322a

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: 'trivy-results.sarif'

https://github.com/karmada-io/karmada/actions/runs/8445321687/job/23132353774?pr=4753#step:7:64
Warning: Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events.

Follow the warning, let this CI working on pull_request for dependabot to resolve it.

verifying at https://github.com/liangyuanpeng/karmada/actions/runs/8460139871/job/23177775457?pr=53

Why is this needed:

[RainbowMango]

Just added the Secret for Dependabot as per Adding a repository secret for Dependabot.

[zhzhuang-zju]

To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches

@liangyuanpeng Do you know why avoid triggering on the "push" event for Dependabot branches with Code Scanning? If it's just a permission issue, can we just add write permission?

[liangyuanpeng]

@zhzhuang-zju

github/codeql-action#435 (comment)
Although perhaps you could add "Uploading code scanning results requires write access." as second sentence?

I found the PR for this warnning log and seems like it just wanted to draw people's attention to the fact that this requires write permissions.

[RainbowMango]

Hi @liangyuanpeng

The workflows/fossa.yml and workflows/ci-image-scanning.yaml should not run for a PR. So I guess we can ignore the two workflows from running in PRs. Something like:

diff --git a/.github/workflows/ci-image-scanning.yaml b/.github/workflows/ci-image-scanning.yaml
index 1774ec0c1..c1b1c801b 100644
--- a/.github/workflows/ci-image-scanning.yaml
+++ b/.github/workflows/ci-image-scanning.yaml
@@ -1,6 +1,10 @@
 name: image-scanning
 on:
-  push: 
+  push:
+    # Exclude branches created by Dependabot to avoid triggering current workflow
+    # for PRs initiated by Dependabot.
+    branches-ignore:
+      - 'dependabot/**'
 jobs:
   use-trivy-to-scan-image:
     name: image-scanning
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
index 05165eeb3..f9d41046d 100644
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@@ -1,6 +1,10 @@
 name: FOSSA
 on:
   push:
+    # Exclude branches created by Dependabot to avoid triggering current workflow
+    # for PRs initiated by Dependabot.
+    branches-ignore:
+      - 'dependabot/**'
 jobs:
   fossa:
     name: FOSSA

What do you think?

by the way:
We don't know why Dependabot PR would trigger the two workflows yet, @zhzhuang-zju sent a ticket to GitHub support team, no response yet

[liangyuanpeng]

The workflows/fossa.yml and workflows/ci-image-scanning.yaml should not run for a PR

Since dependabot's PR is always updating dependencies and not add a dependenice, I agree it can be skipped.

We don't know why Dependabot PR would trigger the two workflows yet,

@RainbowMango
The reason is the branch of dependbot exist the repo of karmada, so it will trigger the push event.

[zhzhuang-zju]

The workflows/fossa.yml and workflows/ci-image-scanning.yaml should not run for a PR

The workflows/ci.yml and workflows/cli.yaml are both triggered on push and pull request events, which may be dobule checked when dependabot submit a PR.

Whether these workflows need to aviod triggering for PRs initiated by Dependabot, like

on:
  push:
+    # Exclude branches created by Dependabot to avoid triggering current workflow
+    # for PRs initiated by Dependabot.
+    branches-ignore:
+      - 'dependabot/**'
  pull_request:

[zhzhuang-zju]

The reason is the branch of dependbot exist the repo of karmada, so it will trigger the push event.

Yes, the push event actually triggered in the branch of dependbot. We want to figure out why the [push] workflow appears in the check screen of an open PR and intercepts the merge of the PR if it fails. If it's a workflow mechanism, then we can circumvent it as suggested by @RainbowMango

[RainbowMango]

The workflows/ci.yml and workflows/cli.yaml are both triggered on push and pull request events, which may be dobule checked when dependabot submit a PR.

+1.

[RainbowMango]

So, @liangyuanpeng what do you say, shall we do it in #4762?

[RainbowMango]

Just added the Secret for Dependabot as per Adding a repository secret for Dependabot.

I removed the secrets as we don't need it anymore(skipped push events for branches created by dependabot).

karmada/.github/workflows/fossa.yml

Lines 3 to 7 in 24ce7e4

	push:
	# Exclude branches created by Dependabot to avoid triggering current workflow
	# for PRs initiated by Dependabot.
	branches-ignore:
	- 'dependabot/**'