fix(npm-audit-autofix): skip autofix job when head_ref is empty

[tehw0lf]

Summary

Repos that haven't yet been updated to pass head_ref to security-scan-source.yml (i.e. any repo not yet on PR #86) send an empty string. The validate head_ref step added in PR #86 then fails the job outright instead of skipping it gracefully — which is the wrong UX: the autofix simply has no branch to work with, so it should skip, not error.

Fix: add inputs.head_ref != '' guard to the dependabot-audit-fix job condition in security-scan-source.yml. The job now skips silently when no head_ref is provided, consistent with the existing audit-fix/ skip guard.

Confirmed broken in: https://github.com/tehw0lf/graphular/actions/runs/27734468381/job/82048332945

Test plan

• actionlint passes
• Repos that don't pass head_ref → dependabot-audit-fix is skipped (not failed)
• Repos that do pass head_ref with a Dependabot branch → autofix runs as before

Summary by CodeRabbit

• Chores
  • Refined security scan workflow triggering so the audit-fix job runs only under the intended branch context and when initiated by the official automation actor, improving reliability.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 74009100-ab8f-40f1-8626-37ad2aef79e3

📥 Commits

Reviewing files that changed from the base of the PR and between 70ec026 and 488bc07.

📒 Files selected for processing (1)

• .github/workflows/security-scan-source.yml

---

📝 Walkthrough

Walkthrough

The dependabot-audit-fix job's if: condition is updated to require both github.actor == 'dependabot[bot]' and inputs.head_ref != ''. The prior allowance for github.event_name == 'schedule' is removed, restricting execution to only when dependabot acts as the triggering actor with a valid branch reference supplied.

Changes

Restrict dependabot-audit-fix Job Execution

Layer / File(s)	Summary
Guard dependabot-audit-fix job on actor and head_ref .github/workflows/security-scan-source.yml	Updates the job's if: condition to require github.actor == 'dependabot[bot]' and inputs.head_ref != '', removing the prior github.event_name == 'schedule' allowance.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• tehw0lf/workflows#85: Modifies the same dependabot-audit-fix job condition in security-scan-source.yml with related actor and branch-based gating logic.
• tehw0lf/workflows#86: Handles the upstream head_ref input passing and validation that feeds into the dependabot-audit-fix job condition check.

Poem

🐇 A schedule once opened the audit gate wide,
Now actor and branch-ref must both coincide.
Dependabot trusted, head_ref standing tall,
Two guards at the door—no more slip-through at all! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: adding a guard condition to skip the autofix job when head_ref is empty, which directly matches the core modification in the workflow file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/npm-audit-autofix-coderabbit-followup-2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}