Dependabot PR "secret is not available" in CI workflows
Workflows triggered by a Dependabot pull request run with a read-only GITHUB_TOKEN and without your normal Actions secrets, because Dependabot PRs are treated as untrusted. Steps that read ${{secrets.X}} see empty values unless you grant them explicitly.
What this error means
A workflow step on a Dependabot PR fails or behaves as if a secret is blank, and logs show "secret is not available" or an auth failure that never happens on normal PRs.
Warning: Skip output 'token' since it may contain secret.
Error: secret is not available on pull_request events from a fork or Dependabot.Common causes
Dependabot PR events do not carry Actions secrets
On pull_request events raised by Dependabot, GitHub omits repository/organization Actions secrets and downgrades GITHUB_TOKEN to read-only by default.
The secret was added under Actions, not Dependabot
A secret a Dependabot-triggered job needs must exist in the Dependabot secrets store, or be passed through explicitly, to be visible.
How to fix it
Grant Dependabot secrets explicitly
- Add the needed secret under Settings > Secrets and variables > Dependabot.
- Reference it in the workflow so Dependabot-triggered runs can read it.
- Keep write-scoped work behind a check on the actor.
jobs:
build:
runs-on: ubuntu-latest
steps:
- env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm ciSplit trusted work into a separate triggered workflow
Use a workflow_run job that runs after the PR workflow to perform actions that need full secrets, gated on the originating event, rather than exposing secrets to the PR job itself.
How to prevent it
- Store secrets Dependabot jobs need under the Dependabot secrets store.
- Assume Dependabot PR jobs are read-only and secret-free by default.
- Isolate privileged steps from PR-triggered jobs.