From c209fcd26fb627be12e5f3cb923e4ad5aa1fb68c Mon Sep 17 00:00:00 2001 From: Mike Odnis Date: Wed, 1 Jul 2026 03:03:00 -0400 Subject: [PATCH] docs(workflows): guard the security caller template against Dependabot startup_failure --- .github/workflows/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 9ae3d34..356513a 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -67,6 +67,9 @@ on: jobs: scan: + # Dependabot PRs can't inherit secrets into a cross-repo reusable workflow (startup_failure), + # which would block Dependabot's own PRs. Skip it there; push/schedule still scan the branch. + if: ${{ github.actor != 'dependabot[bot]' }} uses: resq-software/.github/.github/workflows/security-scan.yml@main with: languages: '["rust","javascript-typescript"]' @@ -93,7 +96,7 @@ jobs: - `SNYK_TOKEN` — from Snyk account settings. - `GITLEAKS_LICENSE` — only needed for private-repo Gitleaks scans. -`secrets: inherit` in the caller forwards all org/repo secrets. +`secrets: inherit` in the caller forwards all org/repo secrets. Note: GitHub does **not** grant secrets to Dependabot-triggered runs, so a caller using `secrets: inherit` will `startup_failure` on Dependabot PRs — guard the job with `if: ${{ github.actor != 'dependabot[bot]' }}` (as in the template above) so those PRs aren't blocked. ### Harden-Runner: audit → block migration