From b0011f5689ebf3715c5156d34498fde052693a67 Mon Sep 17 00:00:00 2001
From: Harry Marr <harry.marr@gmail.com>
Date: Thu, 1 Sep 2022 14:19:07 +0100
Subject: [PATCH] Add note about Dependabot and secrets access

---
 README.md | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 7cb7532..81b354a 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ Combine with an `if` clause to only auto-approve certain users. For example, to
 ```yaml
 name: Auto approve
 
-on: pull_request
+on: pull_request_target
 
 jobs:
   auto-approve:
@@ -67,7 +67,7 @@ Optionally, you can provide a message for the review:
 ```yaml
 name: Auto approve
 
-on: pull_request
+on: pull_request_target
 
 jobs:
   auto-approve:
@@ -81,6 +81,8 @@ jobs:
           review-message: "Auto approved automated PR"
 ```
 
+### Approving on behalf of a different user
+
 By default, this will use the [automatic GitHub token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) that's provided to the workflow. This means the approval will come from the "github-actions" bot user. Make sure you enable the `pull-requests: write` permission in your workflow.
 
 To approve the pull request as a different user, pass a GitHub Personal Access Token into the `github-token` input. In order to approve the pull request, the token needs the `repo` scope enabled.
@@ -88,7 +90,7 @@ To approve the pull request as a different user, pass a GitHub Personal Access T
 ```yaml
 name: Auto approve
 
-on: pull_request
+on: pull_request_target
 
 jobs:
   auto-approve:
@@ -99,6 +101,12 @@ jobs:
           github-token: ${{ secrets.SOME_USERS_PAT }}
 ```
 
+### Approving Dependabot pull requests
+
+When a workflow is run in response to a Dependabot pull request using the `pull_request` event, the workflow won't have access to secrets. If you're trying to use a Personal Access Token (as above) but getting an error on Dependabot pull requests, this is probably why.
+
+Fortunately the fix is simple: use the `pull_request_target` event instead of `pull_request`. This runs the workflow in the context of the base branch of the pull request, which does have access to secrets.
+
 ## Why?
 
 GitHub lets you prevent merges of unapproved pull requests. However, it's occasionally useful to selectively circumvent this restriction - for instance, some people want Dependabot's automated pull requests to not require approval.