github · adityasharad · Apr 5, 2021 · Mar 30, 2021 · Mar 30, 2021 · Mar 31, 2021
@@ -628,7 +628,16 @@ export async function sendStatusReport<S extends StatusReportBase>(
     if (isHTTPError(e)) {
       switch (e.status) {
         case 403:
-          core.setFailed(e.message || GENERIC_403_MSG);
+          if (workflowIsTriggeredByPushEvent() && isDependabotActor()) {
+            core.setFailed(
+              'Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
+                "Uploading Code Scanning results requires write access. " +
+                'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
+                "See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events."
+            );
+          } else {
+            core.setFailed(e.message || GENERIC_403_MSG);
+          }
           return false;
         case 404:
           core.setFailed(GENERIC_404_MSG);
@@ -655,6 +664,16 @@ export async function sendStatusReport<S extends StatusReportBase>(
   }
 }
 
+// Was the workflow run triggered by a `push` event, for example as opposed to a `pull_request` event.
+function workflowIsTriggeredByPushEvent() {
+  return process.env["GITHUB_EVENT_NAME"] === "push";
+}
+
+// Is dependabot the actor that triggered the current workflow run.
+function isDependabotActor() {
+  return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
+}
+
 // Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
 // as opposed to running a remote action (i.e. when another repo references us)
 export function isRunningLocalAction(): boolean {