Using PAT throws error "Input required and not supplied: github-token"

[austins]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the bug has not already been reported

fastify/github-action-merge-dependabot version

3.1.4

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

ubuntu-latest (currently ubuntu-20.04)

Description

Using a PAT for github-token throws an error and fails on initial PR job run.

A PAT is used instead of the GITHUB_TOKEN to allow deployment workflows to be triggered on the main branch by PRs merges. See: Triggering a workflow from a workflow.

Raw log from the failed job:

2022-05-06T04:59:40.2334607Z Requested labels: ubuntu-latest
2022-05-06T04:59:40.2334658Z Job defined at: austins/smoothnanners-web/.github/workflows/build.yml@refs/pull/49/merge
2022-05-06T04:59:40.2334676Z Waiting for a runner to pick up this job...
2022-05-06T04:59:40.8644504Z Job is waiting for a hosted runner to come online.
2022-05-06T04:59:43.9233605Z Job is about to start running on the hosted runner: Hosted Agent (hosted)
2022-05-06T04:59:46.0214385Z Current runner version: '2.291.1'
2022-05-06T04:59:46.0245172Z ##[group]Operating System
2022-05-06T04:59:46.0245792Z Ubuntu
2022-05-06T04:59:46.0246154Z 20.04.4
2022-05-06T04:59:46.0246456Z LTS
2022-05-06T04:59:46.0246910Z ##[endgroup]
2022-05-06T04:59:46.0247305Z ##[group]Virtual Environment
2022-05-06T04:59:46.0247700Z Environment: ubuntu-20.04
2022-05-06T04:59:46.0248118Z Version: 20220503.1
2022-05-06T04:59:46.0248784Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220503.1/images/linux/Ubuntu2004-Readme.md
2022-05-06T04:59:46.0249536Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220503.1
2022-05-06T04:59:46.0250080Z ##[endgroup]
2022-05-06T04:59:46.0250516Z ##[group]Virtual Environment Provisioner
2022-05-06T04:59:46.0250910Z 1.0.0.0-main-20220421-1
2022-05-06T04:59:46.0251317Z ##[endgroup]
2022-05-06T04:59:46.0252519Z ##[group]GITHUB_TOKEN Permissions
2022-05-06T04:59:46.0253337Z Actions: read
2022-05-06T04:59:46.0254086Z Checks: read
2022-05-06T04:59:46.0254598Z Contents: read
2022-05-06T04:59:46.0254926Z Deployments: read
2022-05-06T04:59:46.0255333Z Discussions: read
2022-05-06T04:59:46.0255713Z Issues: read
2022-05-06T04:59:46.0256111Z Metadata: read
2022-05-06T04:59:46.0256432Z Packages: read
2022-05-06T04:59:46.0256810Z Pages: read
2022-05-06T04:59:46.0257189Z PullRequests: read
2022-05-06T04:59:46.0257554Z RepositoryProjects: read
2022-05-06T04:59:46.0258010Z SecurityEvents: read
2022-05-06T04:59:46.0258415Z Statuses: read
2022-05-06T04:59:46.0258735Z ##[endgroup]
2022-05-06T04:59:46.0263285Z Secret source: Dependabot
2022-05-06T04:59:46.0263975Z Prepare workflow directory
2022-05-06T04:59:46.1210052Z Prepare all required actions
2022-05-06T04:59:46.1403168Z Getting action download info
2022-05-06T04:59:46.4510372Z Download action repository 'fastify/github-action-merge-dependabot@v3' (SHA:3ef36a063a845ad3b790809d9a3b8e92ea1f9bc2)
2022-05-06T04:59:47.3960337Z ##[group]Run fastify/github-action-merge-dependabot@v3
2022-05-06T04:59:47.3960662Z with:
2022-05-06T04:59:47.3960849Z   target: minor
2022-05-06T04:59:47.3961052Z   approve-only: false
2022-05-06T04:59:47.3961241Z   merge-method: squash
2022-05-06T04:59:47.3961436Z ##[endgroup]
2022-05-06T04:59:47.6158727Z /home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:216
2022-05-06T04:59:47.6160090Z         throw new Error(`Input required and not supplied: ${name}`);
2022-05-06T04:59:47.6160389Z         ^
2022-05-06T04:59:47.6160524Z 
2022-05-06T04:59:47.6160837Z Error: Input required and not supplied: github-token
2022-05-06T04:59:47.6161521Z     at Object.getInput (/home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:216:15)
2022-05-06T04:59:47.6162681Z     at exports.getInputs (/home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:9657:22)
2022-05-06T04:59:47.6163505Z     at Object.3348 (/home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:9317:5)
2022-05-06T04:59:47.6164211Z     at __nccwpck_require__ (/home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:9844:43)
2022-05-06T04:59:47.6164856Z     at /home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:9866:13
2022-05-06T04:59:47.6165479Z     at /home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:9869:3
2022-05-06T04:59:47.6166146Z     at Object.<anonymous> (/home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:9872:12)
2022-05-06T04:59:47.6166608Z     at Module._compile (node:internal/modules/cjs/loader:1101:14)
2022-05-06T04:59:47.6166997Z     at Object.Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
2022-05-06T04:59:47.6167384Z     at Module.load (node:internal/modules/cjs/loader:981:32)
2022-05-06T04:59:47.6446619Z Cleaning up orphan processes

However, re-running failed jobs once gets it to succeed.

I'm not sure if this is another issue with GitHub Actions or with github-action-merge-dependabot.

Steps to Reproduce

The workflow is triggered by a pull_request event not workflow_dispatch.

This is the job yml (source):

    automerge:
        needs: docker
        runs-on: ubuntu-latest
        steps:
            -   name: Automerge
                uses: fastify/github-action-merge-dependabot@v3
                with:
                    github-token: ${{ secrets.PAT_REPO }}
                    target: minor

permissions: config is not specified as it only applies to the GITHUB_TOKEN.

Use a PAT with repo permissions saved as a repository secret.

Expected Behavior

Does not throw an error on the initial run when using a PAT instead of the GITHUB_TOKEN.

[climba03003]

It is expected behavior.
The actor of the workflow is dependabot which don't have to permission to read secrets of your organization or repo.
When you re-run the action, the actor will change to you and it have the access of secrets.

This behavior is explained in Github Docs.

Secrets are populated from Dependabot secrets. GitHub Actions secrets are not available.

If you need to pass the secrets to dependabot. Then, you need to follow the guide and edit dependabot.yml

[austins]

The actor being dependabot makes sense and would explain this issue. However, according to this forum thread where @simoneb also contributed to, it seems that Dependabot secrets is only for config options in dependabot.yml "so that Dependabot can update dependencies from private registries" and can't be used in the workflow where github-action-merge-dependabot is added as a job, unless things changed since a year ago.

So with:

permissions:
  pull-requests: write
  contents: write

This leads the next issue on how to allow this method to trigger workflows since the PR is treated as if it were coming from a forked repository. With github-action-merge-dependabot v2 where the dependabot-merge-action-app solution was used, it was able to trigger the workflow on push event, but v3 has switched to the new permissions config using GITHUB_TOKEN.

[climba03003]

Unless the document is wrong. Here is the use case for using the secrets in custom action and those secrets are defined inside dependabot.yml
https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets

This leads the next issue on how to allow this method to trigger workflows since the PR is treated as if it were coming from a forked repository. With github-action-merge-dependabot v2 where the dependabot-merge-action-app solution was used, it was able to trigger the workflow on push event, but v3 has switched to the new permissions config using GITHUB_TOKEN.

This is discussed inside #134 and there is no plan for reverting back to a backing API design.

[simoneb]

@austins with v3 there is no way to trigger workflows as a result of a PR being automerged by the action. It's a compromise we accepted because it simplifies the architecture of the solution. In all honesty we realized it after the fact, but we're not planning to go back to the previous solution anyway. I believe v2 is probably still working, but it can stop working any time as we're not actively maintaining it.

[austins]

It appears that GitHub workflows can be sent Dependabot secrets since November 30, 2021. Mixed sources made it hard to confirm this. This lines up with the doc @climba03003 linked to.

I've added the secrets that the workflow jobs need in the "Dependabot secrets" settings for the repo. I didn't have to modify the dependabot.yml file. I can confirm that this works. I hope this helps others who have a similar use case and need to run CI/CD workflows when they're triggered by the dependabot[bot] actor.

Thanks for the help, @climba03003, and the info, @simoneb! Closing this issue since it's not a bug with fastify/github-action-merge-dependabot. 😃