require-fetch-metadata-github-token

Rule catalog ID: R110

Targeted pattern scope

Workflow steps that use dependabot/fetch-metadata.

What this rule reports

This rule reports fetch-metadata steps that do not configure with.github-token.

Why this rule exists

dependabot/fetch-metadata needs a token to retrieve pull request dependency metadata. Requiring the token input makes the workflow contract explicit and avoids subtle runtime failures.

❌ Incorrect

- uses: dependabot/fetch-metadata@v2

✅ Correct

- uses: dependabot/fetch-metadata@v2
  with:
    github-token: ${{ secrets.GITHUB_TOKEN }}

Additional examples

This rule only checks for the presence of a non-empty token input. It does not prescribe a specific secret name.

ESLint flat config example

import githubActions from "eslint-plugin-github-actions-2";

export default [githubActions.configs.security];

When not to use it

Disable this rule only if the action changes to no longer require an explicit token input.

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

Additional examples​

ESLint flat config example​

When not to use it​

Further reading​