Fixing Dependabot Build Failures

A long while back I noticed my personal site's automated Dependabot pull requests were failing their required checks (a bunch of GitHub Actions to run tests against changes). I ignored them because my site is static — there simply isn't that much to attack — but I didn't like seeing my personal site mentioned weekly in my Dependabot summary email. When I looked at the build failures, I saw critical environment variables (namely the API keys to get content from my CMS) were unset.

When I finally decided to tackle the problem, I stopped after I got lost in this article: https://securitylab.github.com/research/github-actions-preventing-pwn-requests

I understand the threat they're protecting against (untrusted code accessing and potentially extracting secrets), but I was having a tough time wrapping my head around the solution they propose.

Luckily for me, I didn't need to go down that road just to unblock Dependabot because GitHub allows you to set environment variables just for Dependabot. To fix my problem, I went to my repository settings, "Secrets and variables", "Dependabot," and added the missing secrets.

It took me about 10 minutes to find the exact key names and values. But that was the hardest part; then I commented on the stalled PR's with @dependabot recreate to get Dependabot to rebase, which triggered new GitHub Actions runs, which then passed since the missing values were restored.

I can't believe I waited that long to address it.