ci(security): skip Snyk job when SNYK_TOKEN is unavailable (fixes Dependabot/fork PR failures)

.github/workflows/security.yml

@@ -42,13 +42,40 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      # Detect whether SNYK_TOKEN is available in this run context.
+      # Cases where it is NOT available (and therefore where Snyk would
+      # otherwise fail with `401 Unauthorized`):
+      #   - Dependabot PRs (GitHub does NOT expose regular Actions
+      #     secrets to Dependabot; it has a separate "Dependabot
+      #     secrets" namespace).
+      #   - PRs from forks (no access to repo secrets).
+      #   - Repos where SNYK_TOKEN has never been configured.
+      # In all three cases, dependency-vulnerability coverage is still
+      # provided by the `audit` job above (npm audit) and by the
+      # CodeQL Analysis workflow (separate file).
+      - name: Detect SNYK_TOKEN availability
+        id: snyk_token
+        env:
+          SNYK_TOKEN_VALUE: ${{ secrets.SNYK_TOKEN }}
+        run: |
+          if [ -z "$SNYK_TOKEN_VALUE" ]; then
+            echo "has_token=false" >> "$GITHUB_OUTPUT"
+            echo "::notice title=Snyk skipped::SNYK_TOKEN not available in this run context (Dependabot PR, fork PR, or repo without Snyk configured). Dependency-vulnerability coverage is still provided by the 'Dependency Audit' job (npm audit) and by the CodeQL Analysis workflow."
+          else
+            echo "has_token=true" >> "$GITHUB_OUTPUT"
+          fi
+
       - uses: actions/setup-node@v4
+        if: steps.snyk_token.outputs.has_token == 'true'
         with:
           node-version: '20'
 
-      - run: npm ci --ignore-scripts
+      - name: Install dependencies
+        if: steps.snyk_token.outputs.has_token == 'true'
+        run: npm ci --ignore-scripts
 
       - name: Run Snyk to check for vulnerabilities
+        if: steps.snyk_token.outputs.has_token == 'true'
         uses: snyk/actions/node@v1.0.0
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}