GitHub Actions: Changes to permissions in workflows triggered by Dependabot

Starting 12-09-2021, GitHub Actions workflows triggered by Dependabot for the create, deployment, and deployment_status events will always receive a read-only token and no secrets.

Starting 12-09-2021, GitHub Actions workflows triggered by Dependabot for the pull_request_target event on pull requests where the base ref was created by Dependabot will always receive a read-only token and no secrets.

Both changes are designed to prevent potentially malicious code from executing in a privileged workflow.

Learn more about using Actions and Dependabot together

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

JUN.12Retired
GitHub Actions: Minimum version enforcement timeline for self-hosted runners
- Actions
JUN.11Improvement
Bot-created pull requests can run workflows if approved
- Actions
JUN.11Release
GitHub Agentic Workflows is now in public preview
- Actions
JUN.11Release
New runner images in public preview
- Actions
MAY.14Improvement
GitHub Actions: Upcoming image migrations
- Actions
MAY.7Improvement
GitHub Actions concurrency groups now allow larger queues
- Actions
APR.27Improvement
Copilot cloud agent starts 20% faster with Actions custom images
- Actions
APR.27Release
GitHub Copilot code review will start consuming GitHub Actions minutes on June 1, 2026
- Actions
APR.24Improvement
Notice about upcoming new format for GitHub App installation tokens
- Actions

GitHub Actions: Changes to permissions in workflows triggered by Dependabot

Related Posts

Subscribe to our developer newsletter