Add special dependabot error message

2026-01-06 22:50:17 +08:00 · 2021-03-30 13:25:12 +01:00
parent bf8daada40
commit d4edded3ea
3 changed files with 27 additions and 3 deletions
--- a/src/actions-util.ts
+++ b/src/actions-util.ts
@@ -628,7 +628,15 @@ export async function sendStatusReport<S extends StatusReportBase>(
    if (isHTTPError(e)) {
      switch (e.status) {
        case 403:
-          core.setFailed(e.message || GENERIC_403_MSG);
+          if (isDependabotActor()) {
+            core.setFailed(
+              'Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
+                'To use Code Scanning with Dependabot please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for dependabot branches. ' +
+                "See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags for more information on how to configure these events."
+            );
+          } else {
+            core.setFailed(e.message || GENERIC_403_MSG);
+          }
          return false;
        case 404:
          core.setFailed(GENERIC_404_MSG);
@@ -655,6 +663,11 @@ export async function sendStatusReport<S extends StatusReportBase>(
  }
 }

+// Is dependabot the actor that triggered the current workflow run.
+function isDependabotActor() {
+  return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
+}
+
 // Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
 // as opposed to running a remote action (i.e. when another repo references us)
 export function isRunningLocalAction(): boolean {