-
Couldn't load subscription status.
- Fork 63.9k
Update docs about permissions required for managing dependabot-related secrets #40872
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR updates documentation to accurately reflect the current permissions required for managing Dependabot-related repository secrets. The change corrects outdated information that stated owner/admin permissions were required, updating it to reflect that write access is now sufficient for both personal and organization repositories.
- Updates permission requirements from "owner" or "admin" to "write" access
- Simplifies the language by consolidating personal and organization repository requirements
- Aligns documentation with current GitHub functionality where write access allows secret management
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
How to review these changes 👓Thank you for your contribution. To review these changes, choose one of the following options: A Hubber will need to deploy your changes internally to review. Table of review linksNote: Please update the URL for your staging server or codespace. The table shows the files in the
Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server 🤖 This comment is automatically generated. |
80dddbf to
0d3c995
Compare
@r7kamura Thanks for opening a PR! I'm reasonably sure this change is correct, but I'll check with the Dependabot team to make sure!
Edit: Sorry, I didn't mean Dependabot. It's getting late here. I don't remember which team we were working with on this, but it's definitely on my project board somewhere.
Uh oh!
There was an error while loading. Please reload this page.
Why:
Historically, it was already possible to manage secrets via the REST API with Write permissions, even though the GitHub web interface did not provide a UI for it at the time. Recently, the web UI has also been updated to allow secret management directly.
(As of October 16, 2025, it appears that the current UI has an issue where, if there are no Dependabot secrets yet, the link to the page for adding them is not displayed. However, it is still possible to access and manage Dependabot secrets by directly entering the page’s URL)
According to the following documentation, users with Write permission can now manage repository secrets:
This update to the documentation appears to have been made in the following pull request:
Based on these facts, the current explanation stating that Owner or Admin permissions are required is no longer accurate.
I’d like to propose updating the description to reflect the actual behavior — namely, that Write permissions are sufficient to manage Dependabot-related secrets.
I verified this behavior in an organization repository where I have Write permission.
I haven’t tested it in a personal repository, so there’s a chance my understanding might not be entirely accurate in that case.
Reviewers are likely more familiar with the details here, so I’d appreciate it if you could double-check whether write permission is also sufficient for personal repositories.
What's being changed (if available, include any code snippets, screenshots, or gifs):
I’ve updated the description, which previously stated that Owner or Admin permissions were required to create secrets, to now indicate that Write permission is sufficient.
Check off the following: