Note
I'm now using a newer version of this workflow that supports an allow list for individual packages and update groups which can be found here:
If you're using a workflow like this and need to manage secrets in multiple repos xt0rted/secrets-sync can simplify that. This lets you add secrets to one repo and sync them to many repos. There's also a template you can fork to get started quickly with it.
This workflow requires the Allow auto-merge
setting to be enabled and ideally a branch protection rule to ensure your other workflows pass before merging.
If the default GITHUB_TOKEN
is used any workflows that would be triggered by the merge won't run, to work around that a PAT needs to be used.
The DEPENDABOT_TOKEN
needs repo
& read:org
scopes and should be added as both an Actions and Dependabot scret for the org or repo where this will be ran.
An alternative method is to use a GitHub App. To do this you'll need to go to https://github.com/settings/apps/new or https://github.com/organizations/<org>/settings/apps/new
and create an app with the following settings:
- Uncheck Expire user authorization tokens
- Uncheck Webhook Active
- Set the following Repository permissions
- Contents: Read & Write
- Metadata: Read-only
- Pull requests: Read-only
Once created you'll need to generate a private key.
You'll then need to install the app to your account or org and add Action & Dependabot secrets for both the BOT_APP_ID
and BOT_PRIVATE_KEY
values which correspond to the App ID at the top of the page, and the private key you just created.
The final step is to make sure you've enabled auto-merge PRs on the repo.
Why do we need to create the secret as both Action & Dependabot? Isn't it sufficient to create it as a Dependabot secret?