diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index df90c79..5c96bf6 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -30,8 +30,8 @@ jobs: build-and-push-artifacts: name: Build and push artifacts for Python ${{ matrix.python_version }} runs-on: ubuntu-latest - # Only run for base repo, not forks - if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' + # Only run for base repo, not forks or dependabot + if: (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request') && github.actor != 'dependabot[bot]' strategy: fail-fast: false matrix: @@ -122,8 +122,8 @@ jobs: name: All artifacts pushed runs-on: ubuntu-latest needs: build-and-push-artifacts - # Only run if the build job ran (i.e., not for forks) - if: always() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request') + # Only run if the build job ran (i.e., not for forks or dependabot) + if: always() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request') && github.actor != 'dependabot[bot]' steps: - name: Check matrix job results env: @@ -144,8 +144,8 @@ jobs: publish-python-package: name: Publish Python package runs-on: ubuntu-latest - # Only run for base repo, not forks - if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' + # Only run for base repo, not forks or dependabot + if: (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request') && github.actor != 'dependabot[bot]' outputs: version: ${{ steps.build.outputs.version }} permissions: @@ -284,8 +284,8 @@ jobs: name: Publish to PyPI runs-on: ubuntu-latest needs: publish-python-package - # Only run for base repo when a new tag is created - if: (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request') && startsWith(github.ref, 'refs/tags/') + # Only run for base repo when a new tag is created, not for dependabot + if: (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request') && startsWith(github.ref, 'refs/tags/') && github.actor != 'dependabot[bot]' permissions: contents: read id-token: write @@ -308,8 +308,8 @@ jobs: name: Deploy review app runs-on: ubuntu-latest needs: build-and-push-artifacts-status - # Only run for base repo PRs, not forks - if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository + # Only run for base repo PRs, not forks or dependabot + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' steps: - name: Checkout code uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 @@ -353,8 +353,8 @@ jobs: name: Jupyter for local runs-on: ubuntu-latest needs: build-and-push-artifacts-status - # Only run for base repo, not forks - if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' + # Only run for base repo, not forks or dependabot + if: (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request') && github.actor != 'dependabot[bot]' permissions: id-token: write contents: read diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cf8976d..56872e0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -217,6 +217,8 @@ jobs: gitleaks: name: Gitleaks check runs-on: ubuntu-latest + # Only run for base repo, not forks + if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' steps: - name: Checkout code uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4