From 4fe73314112ef4149fe58b8aa3a9bdeffe1a24ee Mon Sep 17 00:00:00 2001
From: Oliver Meyer <oliverm@aignostics.com>
Date: Fri, 9 Jan 2026 11:45:10 +0100
Subject: [PATCH] fix(ci): skip Ketryx reporting for Dependabot PRs

Dependabot PRs do not have access to regular repository secrets
(KETRYX_PROJECT, KETRYX_API_KEY) due to GitHub security restrictions.
This is by design to prevent malicious dependency updates from
accessing sensitive information.

This change skips the ketryx_report_and_check job when the PR
is opened by dependabot[bot]. All other CI checks (lint, audit,
test, codeql) still run normally for Dependabot PRs.

The Ketryx compliance report will still be generated when the PR
is merged to main, so no compliance tracking is lost.

Fixes issue where PR #379 (dependabot) fails with:
'Missing input project' error

Related to successful PR #380 (user-opened) which has access
to all secrets.
---
 .github/workflows/ci-cd.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index 7a39a273a..afd6688ca 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -133,6 +133,7 @@ jobs:
   ketryx_report_and_check:
     needs: [get-commit-message, lint, audit, test, codeql]
     if: |
+      github.actor != 'dependabot[bot]' &&
       (!contains(needs.get-commit-message.outputs.commit_message, 'skip:ci')) &&
       (!contains(needs.get-commit-message.outputs.commit_message, 'build:native:only')) &&
       !(github.ref_type == 'branch' && startsWith(needs.get-commit-message.outputs.commit_message, 'Bump version:')) &&