Skip to content

fix(ci): skip security scan on Dependabot PRs to unblock their fix PRs#88

Merged
WomB0ComB0 merged 1 commit into
mainfrom
fix/security-skip-dependabot
Jul 1, 2026
Merged

fix(ci): skip security scan on Dependabot PRs to unblock their fix PRs#88
WomB0ComB0 merged 1 commit into
mainfrom
fix/security-skip-dependabot

Conversation

@WomB0ComB0

Copy link
Copy Markdown
Member

Problem

The security workflow startup_failures on Dependabot PRs, so Dependabot's own security-fix PRs can't pass their required check and stay unmerged — leaving dependency-vulnerability alerts open even though the bump is already proposed.

Why: security.yml calls the cross-repo reusable workflow resq-software/.github/.github/workflows/security-scan.yml with secrets: inherit. GitHub does not grant secrets to Dependabot-triggered runs, and a cross-repo reusable call that inherits secrets fails to start in that restricted context → startup_failure.

Fix

Skip the scan job on Dependabot PRs:

jobs:
  scan:
    if: ${{ github.actor != 'dependabot[bot]' }}
    uses: resq-software/.github/.github/workflows/security-scan.yml@… # main

Dependabot already vetted the bump; push / schedule runs still scan the default branch, so coverage of the default branch is unchanged.

This is the org-wide rollout of the same guard first proposed on resq-software/crates#120. Same one-liner, one repo at a time (each has its own thin caller).

Alternatives (keep scanning Dependabot PRs)

  • Grant Dependabot secrets access (Settings → Secrets and variables → Dependabot), or
  • Drop secrets: inherit and forward the (all-optional) secrets by name.

Please review — this changes a security-CI control.

@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@github-actions github-actions Bot added the area:ci GitHub Actions, workflows, CI label Jul 1, 2026
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@WomB0ComB0, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 59 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4a99aed6-2bf4-425a-a9fd-9e6fa4cd74e9

📥 Commits

Reviewing files that changed from the base of the PR and between a6f84ba and 40f36f5.

📒 Files selected for processing (1)
  • .github/workflows/security.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/security-skip-dependabot

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mintlify

mintlify Bot commented Jul 1, 2026

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
resq 🟢 Ready View Preview Jul 1, 2026, 6:47 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@WomB0ComB0 WomB0ComB0 merged commit ad05194 into main Jul 1, 2026
14 of 15 checks passed
@WomB0ComB0 WomB0ComB0 deleted the fix/security-skip-dependabot branch July 1, 2026 07:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:ci GitHub Actions, workflows, CI

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant