Starting March 1st, 2021 workflows triggered by Dependabot PRs will run with read-only permissions.

This repository is running an example Actions workflow to update dependabot pull requests without direct read-write/secrets access.

The Build Dependabot Bundler PR workflow runs on all pushes to depenedabot/bundler** branches with a read-only GITHUB_TOKEN. This action gets triggered when Dependabot opens new pull requests or force-pushes updates to existing pull requests.

This action will run a bundle install without write access to the repository as this can execute potentially unsafe third-party ruby code when installing git dependencies.

The completion of this workflow triggers the Update Dependabot Bundler PR workflow which has a read-write GITHUB_TOKEN, extracting the changes to license files and pushing these to back to the Dependabot PR branch.

Read more about keeping your GitHub Actions and workflows secure.