Setup doesn't mention that to review dependabot PRs one needs to set dependabot secrets in addition to repository secrets #744
Description
I have a Github action to have Claude Code review PRs set up to trigger on pull_request.
on:
pull_request:
types: [opened, ready_for_review]
...SKIP...
- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
This action fails on PRs triggered by dependabot (it works for PRs made by contributors):
Error: Action failed with error: Error: Environment variable validation failed:
- Either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN is required when using direct Anthropic API.
Error: Process completed with exit code 1.
Per Github documentation:
For workflows initiated by Dependabot (
github.actor == 'dependabot[bot]') using the pull_request, pull_request_review, pull_request_review_comment, push, create, deployment, and deployment_status events, these restrictions apply:
- Secrets are populated from Dependabot secrets. GitHub Actions secrets are not available.
Dependabot secrets can be added at https://github.com/OWNER/REPOSITORY/settings/secrets/dependabot under "Secrets and variables > Dependabot":
One can reuse the same name so that the workflow works for dependabot as well as the original triggers.
This should be added to the docs so one doesn't suddenly get failing actions on dependabot PRs.