@types/github-script install fails in github action in dependabot pr's

[Quintisimo]

Describe the bug
When npm dependencies are being installed in a github action in a dependabot pr, it fails on @types/github-script with a permission denied error. I am using pnpm but I would assume this error occurs in all package managers.

To Reproduce
Steps to reproduce the behavior:

1. Install @types/github-script
2. Add a github action to run pnpm install
3. Wait for dependabot to create a pr and run pnpm install in github action
4. See error

Expected behavior
The install is successful

Screenshots

Desktop (please complete the following information):

• OS: linux

[joshmgross]

Can you include the full set of commands you're using to install the types?

[Quintisimo]

• To install the types in my project I ran: pnpm add -D @actions/github-script@github:actions/github-script
• In the github action I run:

    - name: Install pnpm
          uses: pnpm/action-setup@v4
          with:
            version: ${{ steps.pnpm_version.outputs.version }}
  
    - name: Install Node
      uses: actions/setup-node@v4
      with:
        node-version: ${{ steps.node_version.outputs.version }}
  
    - name: Install dependencies
      working-directory: ${{ inputs.working-directory }}
      shell: bash
      run: pnpm install
      env:
        NODE_AUTH_TOKEN: ${{ inputs.node-auth-token }}

Just to note again this error only occurs in pr's that are created by dependabot for dependencies or security updates. The install works fine in normal pr's

@joshmgross

[joshmgross]

@Quintisimo where does node-auth-token come from?

If that's an Actions secret, is it also set as a Dependabot secret?

https://docs.github.com/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#investigating-failed-workflow-runs

[Quintisimo]

@joshmgross yes I have set it both as an action secret and a dependabot secret

[joshmgross]

Could you provide the full workflow?