ci(security): skip Snyk job when SNYK_TOKEN is unavailable (fixes Dependabot/fork PR failures)#102
Closed
NeuroKoder3 wants to merge 2 commits intomainfrom
Closed
ci(security): skip Snyk job when SNYK_TOKEN is unavailable (fixes Dependabot/fork PR failures)#102NeuroKoder3 wants to merge 2 commits intomainfrom
NeuroKoder3 wants to merge 2 commits intomainfrom
Conversation
Every Dependabot PR (and every fork PR) was failing the Security Scanning workflow at the Snyk step with `401 Unauthorized` because GitHub does not expose regular repo Actions secrets to Dependabot — Dependabot has its own separate secret namespace, so `secrets.SNYK_TOKEN` resolves to an empty string and Snyk auth fails. Fix: gate the snyk job on `secrets.SNYK_TOKEN != ''` so it skips gracefully whenever the token is unavailable. Add a companion `snyk-skipped-notice` job that explains in the run summary why Snyk was skipped and confirms that dependency-vulnerability coverage is still provided on the PR by: - the audit job (npm audit, in this same workflow) - the CodeQL Analysis workflow (separate file) This permanently unblocks Dependabot PRs and fork PRs without losing any dependency-security signal that was actually being produced. To enable Snyk on Dependabot PRs in the future, add SNYK_TOKEN at: Settings → Secrets and variables → Dependabot → New repository secret (Adding it to the regular Actions secrets does not work for Dependabot PRs by design.) Co-authored-by: Cursor <cursoragent@cursor.com>
…lidation fix)
Previous attempt at this fix used `secrets.SNYK_TOKEN` in a job-level
`if:` condition. GitHub Actions rejected the workflow at parse time
("This run likely failed because of a workflow file issue", 0-second
runtime, no jobs started) because referencing the `secrets` context
inside a job-level `if:` is not supported in the same way it is at the
step level.
Refactor:
- Job-level `if:` reverts to the original simple expression
(`github.event_name != 'schedule'`).
- A new first step in the `snyk` job exposes `SNYK_TOKEN` via the `env:`
block (the documented-safe way to read a secret) and writes a
`has_token=true|false` value to `$GITHUB_OUTPUT`.
- All subsequent steps (setup-node, npm ci, Snyk action) gate on
`steps.snyk_token.outputs.has_token == 'true'`.
- When the token is absent, the step emits a GitHub Actions notice
(`::notice title=Snyk skipped::...`) explaining why and confirming
what coverage remains (npm audit + CodeQL).
- The auxiliary `snyk-skipped-notice` job is removed; the notice is
now emitted from inside the snyk job itself.
Net behaviour for the consumer (Dependabot PRs, fork PRs, repos with
no Snyk token):
- Snyk job runs to completion in seconds, posts a clear "skipped"
notice, and is reported as PASS instead of FAIL.
- The `audit` job (npm audit) is unchanged and continues to gate
the workflow on production-dependency vulnerabilities.
Validated locally with `js-yaml` (parses cleanly, 7 jobs, snyk job has
5 steps, no `secrets` reference at job level).
Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Both open Dependabot PRs (#100 and #101) — and any future Dependabot PR or fork PR — were failing the Security Scanning workflow at the Snyk step with
401 Unauthorizedbecause GitHub does not expose regular Actions secrets to Dependabot.secrets.SNYK_TOKENresolves to an empty string in those contexts, Snyk auth fails, the job fails, and the PR check is red.This PR makes the Snyk job skip gracefully when
SNYK_TOKENis unavailable, with a companionsnyk-skipped-noticejob that explains in the run summary why Snyk was skipped and confirms what coverage remains.What's still covered when Snyk skips
auditjob (in this same workflow) runsnpm audit --omit=dev --audit-level=moderate— fails the workflow on any moderate+ production dependency vulnerability.CodeQL Analysisworkflow (separate file) runs and is independent ofSNYK_TOKEN.What this does NOT change
mainbranch (and on every PR opened from a branch in this repo by a maintainer), ifSNYK_TOKENis set in the regular Actions secrets, Snyk runs exactly as before.auditjob is unchanged and still mandatory.How to enable Snyk on Dependabot PRs in the future
Add
SNYK_TOKENas a Dependabot secret, not an Actions secret:Adding it under Actions does not work for Dependabot PRs — that's a deliberate GitHub design.
Test plan
js-yaml(verified locally).audit, snyk, snyk-skipped-notice, lint, test-security, load-test, lockfile-check, report-audit-status.SNYK_TOKENis empty (Dependabot/fork PR/unconfigured repo),snykis skipped andsnyk-skipped-noticeruns and posts an informational notice.SNYK_TOKENis non-empty (maintainer PR with the secret configured),snykruns as before andsnyk-skipped-noticeis skipped.Cross-references
25615109066), PR chore(deps): bump fast-uri from 3.1.0 to 3.1.2 in /server #101 (run25615285582) — both fail withAuthentication error (SNYK-0005) Status: 401 Unauthorized.