From 08b707226c90557711bcbd94aff3daaec826829b Mon Sep 17 00:00:00 2001
From: gokcedemir <gokce.24@hotmail.com>
Date: Fri, 24 Apr 2026 15:34:58 +0200
Subject: [PATCH] docs: document that Actions variables are accessible in
 Dependabot workflows

---
 .../reference/supply-chain-security/dependabot-on-actions.md     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/content/code-security/reference/supply-chain-security/dependabot-on-actions.md b/content/code-security/reference/supply-chain-security/dependabot-on-actions.md
index 43636ee18740..d46c38cf3f6a 100644
--- a/content/code-security/reference/supply-chain-security/dependabot-on-actions.md
+++ b/content/code-security/reference/supply-chain-security/dependabot-on-actions.md
@@ -19,6 +19,7 @@ For workflows initiated by {% data variables.product.prodname_dependabot %} (`gi
 
 * `GITHUB_TOKEN` has read-only permissions by default.
 * Secrets are populated from {% data variables.product.prodname_dependabot %} secrets. {% data variables.product.prodname_actions %} secrets are not available.
+* Actions variables (`vars` context) are accessible.
 
 For workflows initiated by {% data variables.product.prodname_dependabot %} (`github.actor == 'dependabot[bot]'`) using the `pull_request_target` event, if the base ref of the pull request was created by {% data variables.product.prodname_dependabot %} (`github.event.pull_request.user.login == 'dependabot[bot]'`), the `GITHUB_TOKEN` will be read-only and secrets are not available.