Skip to content

docs: document that Actions variables are accessible in Dependabot workflows#43952

Open
gokcedemir wants to merge 1 commit intogithub:mainfrom
gokcedemir:main
Open

docs: document that Actions variables are accessible in Dependabot workflows#43952
gokcedemir wants to merge 1 commit intogithub:mainfrom
gokcedemir:main

Conversation

@gokcedemir
Copy link
Copy Markdown

@gokcedemir gokcedemir commented Apr 24, 2026

Why:

Closes: #43950

What's being changed:

Added a bullet point to the "Restrictions when Dependabot triggers events" section documenting that Actions variables (vars context) are accessible in Dependabot-triggered workflows.

Tested in: https://github.com/gokcedemir/dependabot-variables-test

  • Workflow log showed Secret source: Dependabot
  • vars.TEST_VAR was successfully accessed with its value

Related community discussion: https://github.com/orgs/community/discussions/44088

Check off the following:

  • A subject matter expert (SME) has reviewed the technical accuracy of the content in this PR. In most cases, the author can be the SME. Open source contributions may require an SME review from GitHub staff.
  • The changes in this PR meet the docs fundamentals that are required for all content.
  • All CI checks are passing and the changes look good in the review environment.

@github-actions github-actions Bot added the triage Do not begin working on this issue until triaged by the team label Apr 24, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 24, 2026

How to review these changes 👓

Thank you for your contribution. To review these changes, choose one of the following options:

A Hubber will need to deploy your changes internally to review.

Table of review links

Note: Please update the URL for your staging server or codespace.

The table shows the files in the content directory that were changed in this pull request. This helps you review your changes on a staging server. Changes to the data directory are not included in this table.

Source Review Production What Changed
code-security/reference/supply-chain-security/dependabot-on-actions.md fpt
ghec
ghes@ 3.20 3.19 3.18 3.17 3.16 3.15 3.14
fpt
ghec
ghes@ 3.20 3.19 3.18 3.17 3.16 3.15 3.14

Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server

🤖 This comment is automatically generated.

@Sharra-writes Sharra-writes added content This issue or pull request belongs to the Docs Content team dependabot Content related to Dependabot and removed triage Do not begin working on this issue until triaged by the team labels Apr 28, 2026
@Sharra-writes
Copy link
Copy Markdown
Contributor

Sharra-writes commented Apr 28, 2026

@gokcedemir Checking with the Dependabot team about this to make sure it's working as intended and that there's no reason we're not already documenting it.

@jurre
Copy link
Copy Markdown
Member

jurre commented Apr 28, 2026

Actions variables should, as far as I'm aware, not be available to Dependabot. Even if they are available to the workflow (which I think would be an oversight?) they should not be accessible by the process that runs dependabot, because it runs in an isolated container. Let me look into this a bit please before publishing please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@truggeri truggeri truggeri approved these changes

Assignees

No one assigned

Labels

content This issue or pull request belongs to the Docs Content team dependabot Content related to Dependabot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dependabot on Actions page does not document Variables accessibility

4 participants

@gokcedemir @Sharra-writes @jurre @truggeri