Skip to content

ci(security): skip deps gate on Dependabot-triggered runs#511

Merged
ericfitz merged 1 commit into
mainfrom
fix/deps-gate-skip-dependabot
Jul 1, 2026
Merged

ci(security): skip deps gate on Dependabot-triggered runs#511
ericfitz merged 1 commit into
mainfrom
fix/deps-gate-skip-dependabot

Conversation

@ericfitz

@ericfitz ericfitz commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Problem

The Security Deps Gate fails on every Dependabot PR (e.g. #508). Dependabot-triggered workflow runs execute in a restricted context with no access to Actions secrets, so the create-github-app-token step gets an empty app-id and errors:

The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string.

Fix

Skip the gate job when github.actor == 'dependabot[bot]'. Rationale:

  • The gate inspects main's Dependabot-alert state; alerts aren't computed per PR branch, so running it on a PR is redundant.
  • It still runs on push-to-main and the daily schedule (which have secrets), which is where it actually gates.
  • PR-introduced vulnerable deps remain covered by the required Dependency Review check.

Unblocks the clean merge of Dependabot PRs like #508 (gitleaks-action v2→v3).

🤖 Generated with Claude Code

Dependabot-triggered workflow runs execute in a restricted context with no
access to Actions secrets, so the App-token step (secrets.DEPS_BOT_APP_ID /
DEPS_BOT_APP_PRIVATE_KEY) fails with an empty app-id and reddens every
Dependabot PR. The gate only inspects main's Dependabot-alert state — alerts
aren't computed per PR branch — so it is redundant on a PR regardless. Skip it
when github.actor is dependabot[bot]; the push-to-main and daily schedule runs
(which have secrets) continue to enforce it, and PR-introduced vulnerable deps
are still covered by the required Dependency Review check.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Kk9GxWS9EpazjbwBKfMpUX
@ericfitz ericfitz merged commit 08a1c79 into main Jul 1, 2026
14 of 15 checks passed
@ericfitz ericfitz deleted the fix/deps-gate-skip-dependabot branch July 1, 2026 04:24
ericfitz added a commit that referenced this pull request Jul 1, 2026
The `install_vacuum.sh` bootstrap auto-detects the latest release; when that
detection hiccups it builds a download URL with an empty version
(.../download/v/vacuum_linux_x86_64_.tar.gz) and 404s, flaking the required
OpenAPI Validation check (seen on #511). Download a pinned release asset
directly instead so the step is deterministic.


Claude-Session: https://claude.ai/code/session_01Kk9GxWS9EpazjbwBKfMpUX

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant