From 349efa70e702b83e6f16039ede93008b92394f2b Mon Sep 17 00:00:00 2001
From: Talisson Costa <talisson.odcosta@gmail.com>
Date: Tue, 5 May 2026 13:47:32 -0300
Subject: [PATCH] ci(chromatic): skip Chromatic on Dependabot PRs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Dependabot PRs run with a separate secrets store (Settings → Secrets →
Dependabot) that doesn't include CHROMATIC_PROJECT_TOKEN, so the action
aborts with "Missing project token". Skip the job for Dependabot —
main's post-merge push runs Chromatic with full secrets, so any visual
regression a bump introduces is still caught one merge later.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/frontend-chromatic.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/frontend-chromatic.yml b/.github/workflows/frontend-chromatic.yml
index 2874f1e8c000..05da418eefab 100644
--- a/.github/workflows/frontend-chromatic.yml
+++ b/.github/workflows/frontend-chromatic.yml
@@ -23,7 +23,12 @@ jobs:
   chromatic:
     name: Chromatic
     runs-on: ubuntu-latest
-    if: github.event_name == 'push' || github.event.pull_request.draft == false
+    # Dependabot PRs use a separate secrets store, so they can't read
+    # CHROMATIC_PROJECT_TOKEN. main's post-merge push runs Chromatic
+    # with full secrets, so coverage isn't lost.
+    if: |
+      github.actor != 'dependabot[bot]'
+      && (github.event_name == 'push' || github.event.pull_request.draft == false)
 
     defaults:
       run: