Skip to content

ci: skip SonarQube/Stryker on Dependabot PRs (secrets withheld)#66

Merged
wolpert merged 1 commit into
mainfrom
ci-skip-sonar-on-dependabot
Jun 13, 2026
Merged

ci: skip SonarQube/Stryker on Dependabot PRs (secrets withheld)#66
wolpert merged 1 commit into
mainfrom
ci-skip-sonar-on-dependabot

Conversation

@wolpert

@wolpert wolpert commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Fixes the red browser-mutation job on Dependabot PRs (seen on #64 and #65).

Root cause

GitHub runs Dependabot-triggered workflows with repository secrets withheld (a security measure). So:

  • SonarQube scan can't authenticate (SONAR_TOKEN empty) → step fails.
  • Stryker has the dashboard reporter enabled, which needs STRYKER_DASHBOARD_API_KEY → fails next once Sonar is skipped.

The previous guard only excluded fork PRs (head.repo.full_name == github.repository), but Dependabot branches live in the same repo, so they passed the guard and then failed for lack of a token.

These checks weren't required/gating, so #64 and #65 merged anyway — but they left a red X and burned CI minutes on every Dependabot run.

Fix

Exclude github.actor == 'dependabot[bot]' from both secret-dependent steps:

  • SonarQube scan if: — add github.actor != 'dependabot[bot]' && (…).
  • Stryker step — add if: github.actor != 'dependabot[bot]'.

The npm ci + vitest steps still run on Dependabot PRs, so a future npm-dependency bump is still gated on the JS test suite; only the two steps that can't work without secrets are skipped. No change to push / workflow_dispatch / normal-PR behavior.

🤖 Generated with Claude Code

GitHub withholds repository secrets from Dependabot-triggered workflow runs, so
the SonarQube scan (SONAR_TOKEN) and Stryker dashboard reporter
(STRYKER_DASHBOARD_API_KEY) hard-fail on every Dependabot PR — the
browser-mutation job went red on #64 and #65. The existing guard only excluded
fork PRs, but Dependabot branches live in the same repo, so they slipped
through.

Exclude `github.actor == 'dependabot[bot]'` from both steps. The vitest suite
still runs (so any future npm-dependency Dependabot PR is still gated on tests),
and mutation-testing a dependency bump added no signal anyway.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sonarqubecloud

Copy link
Copy Markdown

@wolpert
wolpert merged commit 6182d6a into main Jun 13, 2026
5 checks passed
@wolpert
wolpert deleted the ci-skip-sonar-on-dependabot branch June 13, 2026 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant