action-dependabot-auto-merge: "Error: Input required and not supplied: github-token"

All of a sudden I’ve been getting this error.

        throw new Error(`Input required and not supplied: ${name}`);

Error: Input required and not supplied: github-token
    at Object.getInput (/action/node_modules/@actions/core/lib/core.js:94:15)
    at file:///action/index.js:28:15
    at (node:internal/modules/esm/module_job:154:23)
    at async Loader.import (node:internal/modules/esm/loader:166:24)
    at async Object.loadESM (node:internal/process/esm_loader:68:5)


I haven’t touched my personal access tokens. And auto-merge hasn’t been upgraded on the project in 3 months. It just stopped working today all of a sudden. Sample PR:

I don’t know if it’s a bug or user-error. Or a problem with GitHub Actions changing under our feet.

I did try generating a new access token (using the public_repo scope) to see if that would make it work. But arguably, it’s a long shot because the error says the token isn’t supplied.

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Reactions: 15
  • Comments: 33 (11 by maintainers)

Commits related to this issue

Most upvoted comments

I run into the same issue on a private repo. But after some time I realized the token needs to added to the Depandabot section instead of Actions section which make it work for me. secrets-secion

and it wasn’t just THIS action … seems like EVERY Personal Access Token wasn’t being read properly, here’s an example of a job that relies on a different PAT for usage with Github Package Registry:


upon re-running the job that also worked fine.

so … a global hiccup of all Personal Access Tokens (or all secrets) across Github!

I’m moving this discussion to which details full context.

they answer me with something unrelated with my bug, but I want to share it with you because I didn’t know it.

We recently made changes to dependabot which means they will receive a read-only GITHUB_TOKEN and will not have access to any secrets available in the repository.

@peterbe I hope this is your issue.

no worries, let us know if you learn of anything interesting from them

I am passing a PAT to github-token but now if dependabot triggers an action this token is not injected.

oof, yeah … not sure what to do about that … this is just actions + secret permission stuff …

change here to allow pull_request_target:

“Re-run jobs” works for me but in a random way.

yes, when I did retry it works but sometimes it doesn’t work… it is random. So I am waiting for confirmation from GitHub customer support.

thanks for your confirmation. and thanks for your work.