Skip to content

fix(ci): skip security scan on Dependabot PRs to unblock their fix PRs#43

Merged
WomB0ComB0 merged 1 commit into
mainfrom
fix/security-skip-dependabot
Jul 1, 2026
Merged

fix(ci): skip security scan on Dependabot PRs to unblock their fix PRs#43
WomB0ComB0 merged 1 commit into
mainfrom
fix/security-skip-dependabot

Conversation

@WomB0ComB0

Copy link
Copy Markdown
Member

Problem

The security workflow startup_failures on Dependabot PRs, so Dependabot's own security-fix PRs can't pass their required check and stay unmerged — leaving dependency-vulnerability alerts open even though the bump is already proposed.

Why: security.yml calls the cross-repo reusable workflow resq-software/.github/.github/workflows/security-scan.yml with secrets: inherit. GitHub does not grant secrets to Dependabot-triggered runs, and a cross-repo reusable call that inherits secrets fails to start in that restricted context → startup_failure.

Fix

Skip the scan job on Dependabot PRs:

jobs:
  scan:
    if: ${{ github.actor != 'dependabot[bot]' }}
    uses: resq-software/.github/.github/workflows/security-scan.yml@… # main

Dependabot already vetted the bump; push / schedule runs still scan the default branch, so coverage of the default branch is unchanged.

This is the org-wide rollout of the same guard first proposed on resq-software/crates#120. Same one-liner, one repo at a time (each has its own thin caller).

Alternatives (keep scanning Dependabot PRs)

  • Grant Dependabot secrets access (Settings → Secrets and variables → Dependabot), or
  • Drop secrets: inherit and forward the (all-optional) secrets by name.

Please review — this changes a security-CI control.

@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@WomB0ComB0, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 59 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e361e581-8cae-43da-875b-e9940925f4d0

📥 Commits

Reviewing files that changed from the base of the PR and between 50fb030 and d02ebf5.

📒 Files selected for processing (1)
  • .github/workflows/security.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/security-skip-dependabot

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Audit passed with recommendations.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

Generated by ai-auditor for issue #43 ·

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Audit Results for PR #43

I have reviewed the changes in .github/workflows/security.yml and identified the following points:

1. Optimization: Narrow the Skip Condition

The current condition if: ${{ github.actor != 'dependabot[bot]' }} skips the security scan for any event triggered by Dependabot. While this correctly unblocks Dependabot PRs, it also skips the scan on the default branch if Dependabot is the actor of a push (e.g., via auto-merge).

  • Recommendation: Change the condition to only skip on pull_request events from Dependabot. This ensures that the scan still runs when the code is merged into the default branch, maintaining security coverage.
  • Suggested Change:
    if: github.event_name != 'pull_request' || github.actor != 'dependabot[bot]'

2. Documentation Accuracy

The comment added in this PR mentions that the scan "startup-fails" when called with secrets: inherit. However, the current workflow passes secrets explicitly. If the failure is actually due to the restricted GITHUB_TOKEN in cross-repo reusable workflow calls from Dependabot, the documentation should be updated to avoid confusion.

  • Recommendation: Update the comment to accurately reflect the cause of the failure.

3. Observation: Language Coverage (Advisory)

The workflow is currently configured to scan languages: '["actions"]'. Since this is a Rust project, you may want to ensure that Rust code is also being scanned by this or another security workflow to ensure full coverage.


Conclusion: The changes effectively unblock Dependabot PRs, but the implementation should be tightened to ensure default-branch coverage is maintained.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

Generated by ai-auditor for issue #43 ·

@WomB0ComB0 WomB0ComB0 merged commit d3c0006 into main Jul 1, 2026
24 of 25 checks passed
@WomB0ComB0 WomB0ComB0 deleted the fix/security-skip-dependabot branch July 1, 2026 07:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant