From 986039f967d02dcbc074b94ce46ebb848a4470c3 Mon Sep 17 00:00:00 2001
From: Evan Sims <hello@evansims.com>
Date: Mon, 28 Aug 2023 16:57:07 -0500
Subject: [PATCH] Refactor Dependabot checks.

---
 .github/workflows/codeql.yml  | 7 ++-----
 .github/workflows/semgrep.yml | 9 +++------
 .github/workflows/snyk.yml    | 8 +++-----
 .github/workflows/test.yml    | 2 +-
 4 files changed, 9 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 618552909..5abd7d7a5 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -20,9 +20,6 @@ permissions:
 
 jobs:
   analyze:
-    # Skip running test for dependabot.
-    if: (github.actor != 'dependabot[bot]')
-
     name: Analyze
     runs-on: ubuntu-latest
 
@@ -32,8 +29,8 @@ jobs:
         language: [javascript]
 
     steps:
-      - if: github.event_name == 'merge_group'
-        run: exit 0 # Skip running test for merge queues.
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
 
       - name: Checkout
         uses: actions/checkout@v3
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index a17c2754a..1ceefe566 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -18,15 +18,12 @@ permissions:
 jobs:
   authorize:
     name: Authorize
-    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
     runs-on: ubuntu-latest
     steps:
       - run: true
 
   run:
-    # Skip running test for dependabot.
-    if: (github.actor != 'dependabot[bot]')
-
     needs: authorize # Require approval before running on forked pull requests
 
     name: Check for Vulnerabilities
@@ -36,8 +33,8 @@ jobs:
       image: returntocorp/semgrep
 
     steps:
-      - if: github.event_name == 'merge_group'
-        run: exit 0 # Skip running test for merge queues.
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
 
       - uses: actions/checkout@v3
         with:
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
index 0d6791a6d..0ce8d3177 100644
--- a/.github/workflows/snyk.yml
+++ b/.github/workflows/snyk.yml
@@ -23,22 +23,20 @@ concurrency:
 jobs:
   authorize:
     name: Authorize
-    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
     runs-on: ubuntu-latest
     steps:
       - run: true
 
   check:
-    # Skip running test for dependabot.
-    if: (github.actor != 'dependabot[bot]')
     needs: authorize
 
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest
 
     steps:
-      - if: github.event_name == 'merge_group'
-        run: exit 0 # Skip running test for merge queues.
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
 
       - uses: actions/checkout@v3
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 3608eda14..2a4eeec36 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -21,7 +21,7 @@ concurrency:
 jobs:
   authorize:
     name: Authorize
-    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
     runs-on: ubuntu-latest
     steps:
       - run: true