From d02ebf5c73d1d1bfe763102ca1a4fd4f1e9e30f8 Mon Sep 17 00:00:00 2001 From: Mike Odnis Date: Wed, 1 Jul 2026 02:46:54 -0400 Subject: [PATCH] fix(ci): skip security scan on Dependabot PRs to unblock their fix PRs --- .github/workflows/security.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 6e292f9..d60850d 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -33,6 +33,10 @@ jobs: # SHA-pinned per org policy (mutable @main is rejected by zizmor # unpinned-uses). Trailing comment keeps Dependabot updates working; # matches the convention in ci.yml. + # Skip on Dependabot PRs: a cross-repo reusable workflow called with `secrets: inherit` + # startup-fails for Dependabot's restricted context, which blocks Dependabot's own security + # PRs. Dependabot already vetted the bump; push/schedule still scan the default branch. + if: ${{ github.actor != 'dependabot[bot]' }} uses: resq-software/.github/.github/workflows/security-scan.yml@73b9edb8f4f28a99f70ee22eb5e2dd2bf7807c84 # main (2026-06-01, #21) with: languages: '["actions"]'