diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index e57a3aa..97766f8 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -42,13 +42,40 @@ jobs: steps: - uses: actions/checkout@v4 + # Detect whether SNYK_TOKEN is available in this run context. + # Cases where it is NOT available (and therefore where Snyk would + # otherwise fail with `401 Unauthorized`): + # - Dependabot PRs (GitHub does NOT expose regular Actions + # secrets to Dependabot; it has a separate "Dependabot + # secrets" namespace). + # - PRs from forks (no access to repo secrets). + # - Repos where SNYK_TOKEN has never been configured. + # In all three cases, dependency-vulnerability coverage is still + # provided by the `audit` job above (npm audit) and by the + # CodeQL Analysis workflow (separate file). + - name: Detect SNYK_TOKEN availability + id: snyk_token + env: + SNYK_TOKEN_VALUE: ${{ secrets.SNYK_TOKEN }} + run: | + if [ -z "$SNYK_TOKEN_VALUE" ]; then + echo "has_token=false" >> "$GITHUB_OUTPUT" + echo "::notice title=Snyk skipped::SNYK_TOKEN not available in this run context (Dependabot PR, fork PR, or repo without Snyk configured). Dependency-vulnerability coverage is still provided by the 'Dependency Audit' job (npm audit) and by the CodeQL Analysis workflow." + else + echo "has_token=true" >> "$GITHUB_OUTPUT" + fi + - uses: actions/setup-node@v4 + if: steps.snyk_token.outputs.has_token == 'true' with: node-version: '20' - - run: npm ci --ignore-scripts + - name: Install dependencies + if: steps.snyk_token.outputs.has_token == 'true' + run: npm ci --ignore-scripts - name: Run Snyk to check for vulnerabilities + if: steps.snyk_token.outputs.has_token == 'true' uses: snyk/actions/node@v1.0.0 env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}