fix(ci): skip security scan on Dependabot PRs to unblock their fix PRs#120
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe security workflow job adds a conditional guard to skip execution when the workflow actor is Dependabot, with an explanatory comment describing the restricted-context failure and that Dependabot already vets dependency bumps. Push and scheduled run behavior is preserved. ChangesSecurity Workflow Guard
Estimated code review effort: 1 (Trivial) | ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
AI Audit Results: Found a logic issue in the security.yml if-condition that may skip scans on the default branch after a Dependabot merge. Also suggested checking ci.yml for consistency. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
AI Audit ResultsI have reviewed the changes in this PR and identified one logic issue and one potential oversight: 1. Potential for skipping scans on the default branchThe current Suggested Fix: if: github.event_name != "pull_request" || github.actor != "dependabot[bot]"This ensures that scans still run on 2. Consistency across workflowsThe Apart from these points, the change correctly addresses the platform limitation regarding Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Problem
The
securityworkflowstartup_failures on Dependabot PRs, which blocks Dependabot's own security-fix PRs from merging (its required check never passes), so dependency-vulnerability alerts stay open even though the bump is already proposed.Why:
security.ymlis a thin caller that invokes the cross-repo reusable workflowresq-software/.github/.github/workflows/security-scan.ymlwithsecrets: inherit. GitHub does not grant secrets to Dependabot-triggered runs, and a cross-repo reusable-workflow call that inherits secrets fails to start in that restricted context →startup_failure.Fix
Skip the scan job on Dependabot PRs:
Dependabot already vetted the bump, and
push/scheduleruns still scan the default branch — so coverage ofmainis unchanged; only the (redundant, and currently failing) scan on Dependabot PR branches is skipped, letting those PRs go green and merge.Scope / rollout
This is a per-repo thin caller, so the same one-line guard is needed on every repo's
security.yml(or, better, applied to whatever template/sync generates them). This PR is oncratesas a validating example.Alternatives (if you'd rather keep scanning Dependabot PRs)
secrets: inheritand forward the (all-optional) secrets by name.Diagnosed while triaging the org's public repos. Please review — this changes a security-CI control.
Summary by CodeRabbit