From c5685afad758dd57b4fddec35f54dc2bae818a1a Mon Sep 17 00:00:00 2001 From: Eric Fitzgerald Date: Wed, 1 Jul 2026 00:13:56 -0400 Subject: [PATCH] ci(security): skip the deps gate on Dependabot-triggered runs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dependabot-triggered workflow runs execute in a restricted context with no access to Actions secrets, so the App-token step (secrets.DEPS_BOT_APP_ID / DEPS_BOT_APP_PRIVATE_KEY) fails with an empty app-id and reddens every Dependabot PR. The gate only inspects main's Dependabot-alert state — alerts aren't computed per PR branch — so it is redundant on a PR regardless. Skip it when github.actor is dependabot[bot]; the push-to-main and daily schedule runs (which have secrets) continue to enforce it, and PR-introduced vulnerable deps are still covered by the required Dependency Review check. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01Kk9GxWS9EpazjbwBKfMpUX --- .github/workflows/security-deps-gate.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/security-deps-gate.yml b/.github/workflows/security-deps-gate.yml index 6a362f3b..b6066098 100644 --- a/.github/workflows/security-deps-gate.yml +++ b/.github/workflows/security-deps-gate.yml @@ -27,6 +27,12 @@ permissions: jobs: deps-gate: name: Block on critical/high alerts in sensitive paths + # Dependabot-triggered runs get a read-only token with NO access to Actions + # secrets, so the App-token step below cannot mint a token there. The gate + # only inspects main's Dependabot-alert state (alerts are not computed per + # PR branch), so it is redundant on a PR anyway. Skip on Dependabot; the + # push-to-main and daily schedule runs still enforce the gate. + if: ${{ github.actor != 'dependabot[bot]' }} runs-on: ubuntu-latest steps: - name: Checkout repository