Dependabot and GH API access

[jnus]

Been running into some issues with this action and Dependabot PR's, when uploading the test result to the GH API. I've got a organization level token specified ,(ORG_GITHUB_TOKEN) as the REPO_TOKEN parameter, since Dependabot does not have access to GITHUB-TOKEN but get the following errror

Syntax

    - name: Parse Trx files
      uses: NasAmin/[email protected]
      id: trx-parser
      if: always()
      with:
        TRX_PATH: ${{ github.workspace }}/TestResults
        REPO_TOKEN: ${{ secrets.ORG_GITHUB_TOKEN }}

Error

....
Creating PR check for ORBIT UNITTESTS
Creating status check for GitSha: c040653ee8bead3071fee97ac7d27f52[18](https://github.com/...api/runs/5380650173?check_suite_focus=true#step:7:18)6c681d on a pull request event
Check time is: Tue, 01 Mar 2022 [19](https://github.com/...api/runs/5380650173?check_suite_focus=true#step:7:19):09:12 GMT
Error: Resource not accessible by integration
....

Should Dependabot not be able to write to GH API with this?

[NasAmin]

Hi @jnus

Thanks for opening an issue.

The issue you are seeing was introduced by GitHub to not allow access to workflow secrets to dependabot due to some security concerns on forked repositories.

However, this had affected normal repos even for orgs that don't allow forks.

GitHub now allows you to specify which permissions dependabot can get.
Docs: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/

For reference, please checkout the test workflow from this repo.

Hope this helps.