trinodb/trino

dependabot-originating builds fail due to lack of secrets

Open

#28176 opened on Feb 9, 2026

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Java (9,113 stars) (2,678 forks)batch import
good first issuemaintenancetest

Description

There is a problem with dependabot-initiated PR builds. The build attempt to run jobs requiring secrets and fails as the secrets are not found Example: https://github.com/trinodb/trino/actions/runs/21819342270/job/62948556703?pr=28175 (#28175)

My understanding is that dependabot-originated flows have access to repo vars, but they don't see repo secrets except those configured for dependabot itself. Given job conditions being has-var || has-secret, this leads to build failures.

proposed solution

Change job conditions to be "(has-var && !dependabot-originated) || has-secret"

Contributor guide

Tech stack
github actions
Domain
ci cddevopsbuild system
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic GitHub ActionsYAML syntaxUnderstanding of CI secrets
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
70
Research direction
Examine the CI workflow file at .github/workflows/ci.yml, specifically the job condition on line 587 (has var || has secret). Understand how dependabot originating PRs behave regarding secrets. The proposed fix changes the condition to (has var && !dependabot originated) || has secret. Also review the example failing run linked in the issue to confirm the error.