Comments (2)
It turns out the default secrets.GITHUB_TOKEN
does not have enough permissions to allow access to the dependabot vulnerabilities graphQL endpoints. I was able to fix that by creating a PAT with the public_repo
scope and pass it to the github-token
action parameter instead. See https://github.com/SalimBensiali/le-blanc-jewellery/blob/584b38d698d92edbd62d5f93ce8d4edf4333d4ca/.github/workflows/dependabot-auto-label.yml#L24
I only found out about this this by accident/luck as documentation around this was very limited. See https://chezsoi.org/lucas/blog/listing-all-github-security-alerts-of-a-user-s-projects-using-graphql-and-python.html where it is being mentioned.
To create a PAT see https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
I can raise a PR to add this to the docs.
from fetch-metadata.
@SalimBensiali Ah, apologies for that. We have a few places where the GITHUB_TOKEN
should be substituted for one with augmented permissions.
I need to make some other updates to the documentation so I will incorporate this.
from fetch-metadata.
Related Issues (20)
- Fetch Metadata action returns null update-type output for pull requests HOT 14
- Auto-merge not adhering to Branch Protection Rules HOT 3
- Error: Api Error: (404) Not Found HOT 1
- Package ecosystem output for gitsubmodules PRs is inconsistent with dependabot.yml
- `new-version` has trailing whitespace
- Allow for additional event types / Ignore "pull-request"+"pull-request-target" event types? HOT 1
- Support `newVersion` and `prevVersion` for updates with multiple dependencies HOT 2
- Error: github-token is not set! Please add 'github-token: "${{ secrets.GITHUB_TOKEN }}"' to your workflow file. HOT 1
- Add `severity` to the action outputs
- Add alert number to outputs HOT 1
- Alert metadata lookup not working as expected HOT 2
- `fetch-metadata` action returns `/` for directory output HOT 1
- `fetch-metadata` can not fetch metadata when using `workflow_run` event HOT 1
- Directory name is not properly extracted from branch name when using `-` separator. HOT 1
- Multi-segment directory name malformed when using non-standard separator.
- github actor is not dependabot when rerunning the job HOT 1
- Dependabot "update-type" not available in metadata retrieved for PR HOT 6
- Dependabot runs fail due to strict node and npm pinning HOT 5
- Include "outputs.publish-date" HOT 1
- output directory set to target branch name HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fetch-metadata.