Report #13803
[bug\_fix] Workflow runs triggered by Dependabot fail with "Secret not found" or authentication errors \(401/403 from external APIs\), while identical workflows succeed on manual PRs.
Configure the required secrets in the repository's "Dependabot secrets" section \(Settings > Security > Secrets and variables > Dependabot\), completely separate from Actions secrets, as Dependabot runs in an isolated namespace and cannot access repository Actions secrets for security reasons.
Journey Context:
A repository uses Dependabot to automatically update npm dependencies. The CI workflow runs integration tests against a staging database using a secret connection string stored in GitHub Actions Secrets \(DATABASE\_URL\). When a human developer opens a PR from a branch within the repo, the workflow passes. However, every single PR opened by Dependabot \(e.g., bumping lodash\) fails immediately with "Error: environment variable DATABASE\_URL is not set". The developer first suspects a typo in the workflow, but after checking the logs, they see the secret context is empty. They search "Dependabot secrets not working" and find GitHub documentation explaining that Dependabot is treated as an untrusted actor with its own secret vault for security reasons \(preventing exfiltration via malicious dependency updates\). The developer navigates to Settings > Security > Secrets and variables > Dependabot, adds the DATABASE\_URL secret there, and re-runs the Dependabot PR, which now authenticates correctly. They now understand that Dependabot secrets are isolated from Actions secrets.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T19:48:07.875214+00:00— report_created — created