disable jobs which require secrets when PR is a dependabot update (#1238)

sean-breen · web-flow · commit fb7c546b2d73 · 2025-08-26T17:20:29.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -26,7 +26,7 @@ jobs:
   proxy-sanity-check:
     name: Proxy Sanity Check
     runs-on: ubuntu-22.04
-    if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot-') }}
+    if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }}
     env:
       GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev"
     steps:
@@ -145,7 +145,7 @@ jobs:
   official-oss-image-integration-tests:
     name: Integration Tests - Official OSS Images
     needs: build-unsigned-snapshot
-    if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot-') }}
+    if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }}
     runs-on: ubuntu-22.04
     strategy:
       matrix:
@@ -184,7 +184,7 @@ jobs:
   official-plus-image-integration-tests:
     name: Integration Tests - Official Plus Images
     needs: build-unsigned-snapshot
-    if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot-') }}
+    if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }}
     runs-on: ubuntu-22.04
     strategy:
       matrix:
@@ -265,7 +265,7 @@ jobs:
         run: git push 'https://github-actions:${{ secrets.GITHUB_TOKEN }}@github.com/nginx/agent.git' benchmark-results:benchmark-results
   load-tests:
     name: Load Tests
-    if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot-') }}
+    if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-') }}
     permissions:
       contents: write
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/mend.yml b/.github/workflows/mend.yml
@@ -25,7 +25,11 @@ permissions:
 
 jobs:
   mend:
-    if: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) || (github.event_name == 'push' && github.event.repository.fork == false) }}
+    if: >-
+      ${{ 
+        (github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork && !startsWith(github.head_ref, 'dependabot-')) ||
+        (github.event_name == 'push' && !github.event.repository.fork)
+      }}
     uses: nginxinc/compliance-rules/.github/workflows/mend.yml@a27656f8f9a8748085b434ebe007f5b572709aad # v0.2
     secrets: inherit
     with:
