Skip to content

fix(ci): skip security scan on Dependabot PRs to unblock their fix PRs#137

Merged
WomB0ComB0 merged 1 commit into
masterfrom
fix/security-skip-dependabot
Jul 1, 2026
Merged

fix(ci): skip security scan on Dependabot PRs to unblock their fix PRs#137
WomB0ComB0 merged 1 commit into
masterfrom
fix/security-skip-dependabot

Conversation

@WomB0ComB0

Copy link
Copy Markdown
Member

Problem

The security workflow startup_failures on Dependabot PRs, so Dependabot's own security-fix PRs can't pass their required check and stay unmerged — leaving dependency-vulnerability alerts open even though the bump is already proposed.

Why: security.yml calls the cross-repo reusable workflow resq-software/.github/.github/workflows/security-scan.yml with secrets: inherit. GitHub does not grant secrets to Dependabot-triggered runs, and a cross-repo reusable call that inherits secrets fails to start in that restricted context → startup_failure.

Fix

Skip the scan job on Dependabot PRs:

jobs:
  scan:
    if: ${{ github.actor != 'dependabot[bot]' }}
    uses: resq-software/.github/.github/workflows/security-scan.yml@… # main

Dependabot already vetted the bump; push / schedule runs still scan the default branch, so coverage of the default branch is unchanged.

This is the org-wide rollout of the same guard first proposed on resq-software/crates#120. Same one-liner, one repo at a time (each has its own thin caller).

Alternatives (keep scanning Dependabot PRs)

  • Grant Dependabot secrets access (Settings → Secrets and variables → Dependabot), or
  • Drop secrets: inherit and forward the (all-optional) secrets by name.

Please review — this changes a security-CI control.

@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@WomB0ComB0, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 59 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8731ff0c-bf85-4cb3-9293-4c4d7d18cb8d

📥 Commits

Reviewing files that changed from the base of the PR and between e6e7c1b and 2ea80b1.

📒 Files selected for processing (1)
  • .github/workflows/security.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/security-skip-dependabot

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added the A-CI GitHub Actions, workflows, hooks label Jul 1, 2026
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Audit Summary: Passed ✅

The changes in this PR have been audited for security, logic, and performance.

Findings:

  • Security: The skip logic for Dependabot is a reasonable trade-off to unblock automated dependency updates. Security scans will still run on the default branch after merge and on a weekly schedule, ensuring coverage for all merged changes.
  • Logic: The use of github.actor != 'dependabot[bot]' is consistent with established patterns in this repository (e.g., in chromatic.yml) and correctly identifies PRs triggered by the bot.
  • Performance: No issues identified.

The audit has passed.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

Generated by ai-auditor for issue #137 ·

@WomB0ComB0 WomB0ComB0 merged commit 5a7d0b3 into master Jul 1, 2026
38 checks passed
@WomB0ComB0 WomB0ComB0 deleted the fix/security-skip-dependabot branch July 1, 2026 07:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

A-CI GitHub Actions, workflows, hooks size/XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant