Skip to content

fix(ci): skip security scan on Dependabot PRs to unblock their fix PRs#120

Merged
WomB0ComB0 merged 1 commit into
masterfrom
fix/security-skip-dependabot
Jul 1, 2026
Merged

fix(ci): skip security scan on Dependabot PRs to unblock their fix PRs#120
WomB0ComB0 merged 1 commit into
masterfrom
fix/security-skip-dependabot

Conversation

@WomB0ComB0

@WomB0ComB0 WomB0ComB0 commented Jul 1, 2026

Copy link
Copy Markdown
Member

Problem

The security workflow startup_failures on Dependabot PRs, which blocks Dependabot's own security-fix PRs from merging (its required check never passes), so dependency-vulnerability alerts stay open even though the bump is already proposed.

Why: security.yml is a thin caller that invokes the cross-repo reusable workflow resq-software/.github/.github/workflows/security-scan.yml with secrets: inherit. GitHub does not grant secrets to Dependabot-triggered runs, and a cross-repo reusable-workflow call that inherits secrets fails to start in that restricted context → startup_failure.

Fix

Skip the scan job on Dependabot PRs:

jobs:
  scan:
    if: ${{ github.actor != 'dependabot[bot]' }}
    uses: resq-software/.github/.github/workflows/security-scan.yml@… # main

Dependabot already vetted the bump, and push / schedule runs still scan the default branch — so coverage of main is unchanged; only the (redundant, and currently failing) scan on Dependabot PR branches is skipped, letting those PRs go green and merge.

Scope / rollout

This is a per-repo thin caller, so the same one-line guard is needed on every repo's security.yml (or, better, applied to whatever template/sync generates them). This PR is on crates as a validating example.

Alternatives (if you'd rather keep scanning Dependabot PRs)

  • Grant Dependabot secrets access (Settings → Secrets and variables → Dependabot), or
  • Drop secrets: inherit and forward the (all-optional) secrets by name.

Diagnosed while triaging the org's public repos. Please review — this changes a security-CI control.

Summary by CodeRabbit

  • Bug Fixes
    • Improved the security check workflow so it skips unsupported Dependabot runs while continuing to run on main/master pushes and scheduled scans.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@github-actions github-actions Bot added size/XS A-DevOps CI/CD and tooling labels Jul 1, 2026
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 95d1b44d-e7a8-484c-bd14-f9cff8e70858

📥 Commits

Reviewing files that changed from the base of the PR and between dba8d69 and 128209d.

📒 Files selected for processing (1)
  • .github/workflows/security.yml

📝 Walkthrough

Walkthrough

The security workflow job adds a conditional guard to skip execution when the workflow actor is Dependabot, with an explanatory comment describing the restricted-context failure and that Dependabot already vets dependency bumps. Push and scheduled run behavior is preserved.

Changes

Security Workflow Guard

Layer / File(s) Summary
Dependabot skip condition
.github/workflows/security.yml
Adds an if condition to skip the security scan job when the actor is dependabot[bot], with a comment explaining the restricted-context failure; push and scheduled runs still execute.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: skipping the security scan for Dependabot PRs to avoid blocked fix PRs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/security-skip-dependabot

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

AI Audit Results: Found a logic issue in the security.yml if-condition that may skip scans on the default branch after a Dependabot merge. Also suggested checking ci.yml for consistency.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

Generated by ai-auditor for issue #120 ·

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

AI Audit Results

I have reviewed the changes in this PR and identified one logic issue and one potential oversight:

1. Potential for skipping scans on the default branch

The current if condition github.actor != "dependabot[bot]" will skip the security scan not only on Dependabot pull requests but also on push events to the default branch if they are initiated by Dependabot (e.g., via auto-merge). This contradicts the comment stating that push/schedule events still scan the default branch.

Suggested Fix:
Change the if condition to only skip for pull request events:

if: github.event_name != "pull_request" || github.actor != "dependabot[bot]"

This ensures that scans still run on push, schedule, and workflow_dispatch events, even if Dependabot is the actor.

2. Consistency across workflows

The ci.yml workflow also utilizes a cross-repo reusable workflow with secrets: inherit, which likely suffers from the same "startup-fails" issue on Dependabot PRs. You may want to apply a similar fix there to ensure Dependabot PRs are fully unblocked across all CI checks.

Apart from these points, the change correctly addresses the platform limitation regarding secrets: inherit in restricted contexts.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

Generated by ai-auditor for issue #120 ·

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

A-DevOps CI/CD and tooling size/XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant