Problem
Dependabot PRs (e.g. #1707) fail CI because GitHub's security policy treats Dependabot-triggered workflows like fork PRs — they cannot access standard Actions secrets. Only secrets stored in the separate Dependabot secrets store are available.
Context
GitHub maintains two separate secret stores:
- Actions secrets (Settings → Secrets and variables → Actions) — used by regular contributor PRs
- Dependabot secrets (Settings → Secrets and variables → Dependabot) — used by Dependabot-triggered workflows
When Dependabot triggers a pull_request event, secrets like COPILOT_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN, and GH_AW_GITHUB_TOKEN resolve to empty strings, causing CI failures.
See: https://docs.github.com/en/code-security/dependabot/troubleshooting-dependabot-on-github-actions
Proposed Fix
Duplicate the following secrets into the Dependabot secrets store:
COPILOT_GITHUB_TOKEN- Any other secrets required by CI workflows
This allows the same workflow YAML to work for both regular and Dependabot PRs — GitHub automatically selects the correct secret store based on the triggering actor.
Related
Problem
Dependabot PRs (e.g. #1707) fail CI because GitHub's security policy treats Dependabot-triggered workflows like fork PRs — they cannot access standard Actions secrets. Only secrets stored in the separate Dependabot secrets store are available.
Context
GitHub maintains two separate secret stores:
When Dependabot triggers a
pull_requestevent, secrets likeCOPILOT_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN, andGH_AW_GITHUB_TOKENresolve to empty strings, causing CI failures.See: https://docs.github.com/en/code-security/dependabot/troubleshooting-dependabot-on-github-actions
Proposed Fix
Duplicate the following secrets into the Dependabot secrets store:
COPILOT_GITHUB_TOKENThis allows the same workflow YAML to work for both regular and Dependabot PRs — GitHub automatically selects the correct secret store based on the triggering actor.
Related