Refactor Dependabot checks.

auth0 · Aug 28, 2023 · 986039f · 986039f
1 parent bf42e1e
commit 986039f
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 17 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -20,9 +20,6 @@ permissions:
 
 jobs:
   analyze:
-    # Skip running test for dependabot.
-    if: (github.actor != 'dependabot[bot]')
-
     name: Analyze
     runs-on: ubuntu-latest
 
@@ -32,8 +29,8 @@ jobs:
         language: [javascript]
 
     steps:
-      - if: github.event_name == 'merge_group'
-        run: exit 0 # Skip running test for merge queues.
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
 
       - name: Checkout
         uses: actions/checkout@v3

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -18,15 +18,12 @@ permissions:
 jobs:
   authorize:
     name: Authorize
-    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
     runs-on: ubuntu-latest
     steps:
       - run: true
 
   run:
-    # Skip running test for dependabot.
-    if: (github.actor != 'dependabot[bot]')
-
     needs: authorize # Require approval before running on forked pull requests
 
     name: Check for Vulnerabilities
@@ -36,8 +33,8 @@ jobs:
       image: returntocorp/semgrep
 
     steps:
-      - if: github.event_name == 'merge_group'
-        run: exit 0 # Skip running test for merge queues.
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
 
       - uses: actions/checkout@v3
         with:

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -23,22 +23,20 @@ concurrency:
 jobs:
   authorize:
     name: Authorize
-    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
     runs-on: ubuntu-latest
     steps:
       - run: true
 
   check:
-    # Skip running test for dependabot.
-    if: (github.actor != 'dependabot[bot]')
     needs: authorize
 
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest
 
     steps:
-      - if: github.event_name == 'merge_group'
-        run: exit 0 # Skip running test for merge queues.
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
 
       - uses: actions/checkout@v3
         with:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -21,7 +21,7 @@ concurrency:
 jobs:
   authorize:
     name: Authorize
-    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
     runs-on: ubuntu-latest
     steps:
       - run: true