Dependabot on Actions page does not document Variables accessibility

[gokcedemir]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

What's wrong?

The Dependabot on GitHub Actions page lists restrictions when Dependabot triggers events, but does not mention anything about Actions Variables.

The current docs only say:

Secrets are populated from Dependabot secrets. GitHub Actions secrets are not available.

There is no mention of whether Actions Variables are accessible.

What should it say?

After testing, Actions Variables are accessible in Dependabot-triggered workflows. This should be documented.

Test repo: https://github.com/gokcedemir/dependabot-variables-test

Evidence

Workflow log shows:

• Secret source: Dependabot (secrets come from Dependabot store)
• TEST_VAR = hello_from_actions (Actions variable was accessible)

Related

• Community discussion where this was announced but never documented: https://github.com/orgs/community/discussions/44088

What part(s) of the article would you like to see updated?

The "Restrictions when Dependabot triggers events" section should add a note that Actions Variables (vars context) ARE accessible in Dependabot-triggered workflows, unlike Actions Secrets which are not.

Suggested addition after the existing restrictions list:
"Actions variables (vars context) are accessible in workflows triggered by Dependabot."

Additional information

I tested this with a public repo: https://github.com/gokcedemir/dependabot-variables-test

The workflow log confirmed:

• Secret source: Dependabot
• vars.TEST_VAR was successfully accessed with its value

Screenshot of the log can be provided if needed.

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.