fix(npm-audit-autofix): skip autofix job when head_ref is empty#87
Conversation
When security-scan-source.yml is called by a repo workflow that does not yet pass head_ref, the input arrives as an empty string. The validate step in npm-audit-autofix.yml then correctly fails – but that makes the whole job fail instead of skipping gracefully. Guard the dependabot-audit-fix job condition with inputs.head_ref != '' so it simply skips when no branch name is available, matching the intent of the existing audit-fix/ guard.
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe ChangesRestrict dependabot-audit-fix Job Execution
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
The autofix job requires a Dependabot branch as PR target. On schedule events github.head_ref is always empty, so the job would always skip (or previously fail). Restrict the condition to dependabot[bot] actor only – schedule runs report audit findings but cannot open a fix PR.
Summary
Repos that haven't yet been updated to pass
head_reftosecurity-scan-source.yml(i.e. any repo not yet on PR #86) send an empty string. Thevalidate head_refstep added in PR #86 then fails the job outright instead of skipping it gracefully — which is the wrong UX: the autofix simply has no branch to work with, so it should skip, not error.Fix: add
inputs.head_ref != ''guard to thedependabot-audit-fixjob condition insecurity-scan-source.yml. The job now skips silently when nohead_refis provided, consistent with the existingaudit-fix/skip guard.Confirmed broken in: https://github.com/tehw0lf/graphular/actions/runs/27734468381/job/82048332945
Test plan
actionlintpasseshead_ref→dependabot-audit-fixis skipped (not failed)head_refwith a Dependabot branch → autofix runs as beforeSummary by CodeRabbit