ppkarwasz commented on PR #419: URL: https://github.com/apache/logging-parent/pull/419#issuecomment-2994150613
After running some tests, I identified the following limitations with this workflow stemming from the use of `dependabot/fetch-metadata`: * As previously mentioned, the workflow must run with the `pull_request_target` event (see dependabot/fetch-metadata#490). This imposes a restriction: the token with write permissions to the repository cannot be stored in **Dependabot Secrets**, and instead must be stored in **Actions Secrets**. The downside is that Actions Secrets are accessible to a broader range of workflows, not just those triggered by `dependabot[bot]`. * Until dependabot/fetch-metadata#402 is resolved, version metadata will not be available for **grouped PRs**, which is a blocker: the changelog entries will not have any information about the version to which the dependency was upgraded. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
