Skip to content

fix: Skip Netlify deployment for Dependabot PRs#660

Merged
mmcky merged 1 commit intomainfrom
fix/dependabot-netlify-secrets
Oct 27, 2025
Merged

fix: Skip Netlify deployment for Dependabot PRs#660
mmcky merged 1 commit intomainfrom
fix/dependabot-netlify-secrets

Conversation

@mmcky
Copy link
Contributor

@mmcky mmcky commented Oct 27, 2025

Problem

PR #659 (and other Dependabot PRs) fail during the Netlify preview deployment step with:

Error: Unauthorized: could not retrieve project

Root Cause: GitHub's security model intentionally blocks repository secrets (NETLIFY_AUTH_TOKEN, NETLIFY_SITE_ID) from being accessible to Dependabot-triggered workflows. This prevents malicious dependency updates from exfiltrating secrets.

Solution

This PR adds conditional logic to gracefully skip Netlify deployment when:

  • Actor is dependabot[bot]
  • PR is from a fork (security precaution)
  • Required secrets are unavailable

Changes

  • ✅ Add if condition to Netlify deploy step checking for trusted actors and secret availability
  • ✅ Move secrets to job-level env for proper conditional access
  • ✅ Add informative skip message step for transparency in logs
  • ✅ Update PR comment step to only run when deployment succeeds
  • ✅ Maintain normal behavior for regular contributor PRs

Outcome

After merging:

  • Dependabot PRs will pass CI (skip Netlify gracefully with clear message)
  • Regular contributor PRs will continue to get Netlify previews
  • No security risks from exposing secrets to untrusted actors
  • No workflow failures

Testing

Once merged, re-run PR #659 or any other Dependabot PR to verify:

  1. CI passes without errors
  2. Logs show "Skipping Netlify preview deploy" message
  3. Build continues normally (HTML, notebooks, PDF generation)

Fixes #659

@mmcky
fix: Skip Netlify deployment for Dependabot PRs
e7a2c65 
Dependabot PRs cannot access repository secrets due to GitHub's security
model. This causes the Netlify preview deployment to fail with
'Unauthorized' errors.

Changes:
- Add conditional check to skip Netlify deploy when actor is dependabot[bot]
- Also skip for PRs from forks or when secrets are unavailable
- Add informative skip message step for transparency
- Only post PR comment when deployment actually succeeds
- Move secrets to job-level env for proper conditional access

This ensures:
- Dependabot PRs pass CI without Netlify preview (acceptable trade-off)
- Regular contributor PRs continue to get Netlify previews
- No security risks from exposing secrets to untrusted actors
- Clear logging when deployment is skipped

Fixes the issue reported in PR #659
@github-actions
Copy link

github-actions bot commented Oct 27, 2025

📖 Netlify Preview Ready!

Preview URL: https://pr-660--sunny-cactus-210e3e.netlify.app (e7a2c65)

@mmcky mmcky merged commit fc4be35 into main Oct 27, 2025
1 check passed
@mmcky mmcky deleted the fix/dependabot-netlify-secrets branch October 27, 2025 22:13
@mmcky mmcky mentioned this pull request Nov 3, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mmcky