zlacker

The dependabot issue is insane, and the whole way this issue arose (it used to work before this limitation was introduced) indicates that the security team and the dependabot team at GitHub just didn't talk to each other.

(There's a workaround for the dependabot issue though, use pull_request_target instead and explicitly check out the sha of the branch. Then the run can access the secrets.)

I would also add "you can't rerun single jobs" and "actions can't call other actions" to the list of grievances.