Merge pull request #435 from github/robertbrignull/dependabot_error

Add special error message case for dependabot

lib/actions-util.js

@@ -483,7 +483,15 @@ async function sendStatusReport(statusReport) {
         if (isHTTPError(e)) {
             switch (e.status) {
                 case 403:
-                    core.setFailed(e.message || GENERIC_403_MSG);
+                    if (workflowIsTriggeredByPushEvent() && isDependabotActor()) {
+                        core.setFailed('Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
+                            "Uploading Code Scanning results requires write access. " +
+                            'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
+                            "See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events.");
+                    }
+                    else {
+                        core.setFailed(e.message || GENERIC_403_MSG);
+                    }
                     return false;
                 case 404:
                     core.setFailed(GENERIC_404_MSG);
@@ -508,6 +516,14 @@ async function sendStatusReport(statusReport) {
     }
 }
 exports.sendStatusReport = sendStatusReport;
+// Was the workflow run triggered by a `push` event, for example as opposed to a `pull_request` event.
+function workflowIsTriggeredByPushEvent() {
+    return process.env["GITHUB_EVENT_NAME"] === "push";
+}
+// Is dependabot the actor that triggered the current workflow run.
+function isDependabotActor() {
+    return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
+}
 // Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
 // as opposed to running a remote action (i.e. when another repo references us)
 function isRunningLocalAction() {

src/actions-util.ts

@@ -628,7 +628,16 @@ export async function sendStatusReport<S extends StatusReportBase>(
     if (isHTTPError(e)) {
       switch (e.status) {
         case 403:
-          core.setFailed(e.message || GENERIC_403_MSG);
+          if (workflowIsTriggeredByPushEvent() && isDependabotActor()) {
+            core.setFailed(
+              'Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
+                "Uploading Code Scanning results requires write access. " +
+                'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
+                "See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events."
+            );
+          } else {
+            core.setFailed(e.message || GENERIC_403_MSG);
+          }
           return false;
         case 404:
           core.setFailed(GENERIC_404_MSG);
@@ -655,6 +664,16 @@ export async function sendStatusReport<S extends StatusReportBase>(
   }
 }
 
+// Was the workflow run triggered by a `push` event, for example as opposed to a `pull_request` event.
+function workflowIsTriggeredByPushEvent() {
+  return process.env["GITHUB_EVENT_NAME"] === "push";
+}
+
+// Is dependabot the actor that triggered the current workflow run.
+function isDependabotActor() {
+  return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
+}
+
 // Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
 // as opposed to running a remote action (i.e. when another repo references us)
 export function isRunningLocalAction(): boolean {