From e7a2c65c47b758d9e75c4a038d0252003d3c66db Mon Sep 17 00:00:00 2001
From: mmcky <mamckay@gmail.com>
Date: Tue, 28 Oct 2025 08:46:27 +1100
Subject: [PATCH] fix: Skip Netlify deployment for Dependabot PRs

Dependabot PRs cannot access repository secrets due to GitHub's security
model. This causes the Netlify preview deployment to fail with
'Unauthorized' errors.

Changes:
- Add conditional check to skip Netlify deploy when actor is dependabot[bot]
- Also skip for PRs from forks or when secrets are unavailable
- Add informative skip message step for transparency
- Only post PR comment when deployment actually succeeds
- Move secrets to job-level env for proper conditional access

This ensures:
- Dependabot PRs pass CI without Netlify preview (acceptable trade-off)
- Regular contributor PRs continue to get Netlify previews
- No security risks from exposing secrets to untrusted actors
- Clear logging when deployment is skipped

Fixes the issue reported in PR #659
---
 .github/workflows/ci.yml | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a8948040b..93b18cb78 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,6 +11,9 @@ on:
 jobs:
   preview:
     runs-on: "runs-on=${{ github.run_id }}/family=g4dn.2xlarge/image=quantecon_ubuntu2404/disk=large"
+    env:
+      NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+      NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
     steps:
       - uses: actions/checkout@v5
         with:
@@ -168,6 +171,11 @@ jobs:
           fi
       - name: Preview Deploy to Netlify
         id: netlify-deploy
+        if: >
+          github.actor != 'dependabot[bot]' &&
+          (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) &&
+          env.NETLIFY_AUTH_TOKEN != '' &&
+          env.NETLIFY_SITE_ID != ''
         shell: bash -l {0}
         run: |
           if [ "${{ github.event_name }}" = "pull_request" ]; then
@@ -238,11 +246,16 @@ jobs:
               echo "🎯 Preview page: ${deploy_url}/${{ github.event.inputs.preview_page }}"
             fi
           fi
-        env:
-          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-          NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
+      - name: Skip Netlify Deploy (no secrets or untrusted actor)
+        if: >
+          !(github.actor != 'dependabot[bot]' &&
+          (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) &&
+          env.NETLIFY_AUTH_TOKEN != '' &&
+          env.NETLIFY_SITE_ID != '')
+        run: |
+          echo "Skipping Netlify preview deploy: secrets unavailable or actor not trusted (actor=${{ github.actor }})"
       - name: Post PR Comment with Preview Links
-        if: github.event_name == 'pull_request'
+        if: github.event_name == 'pull_request' && steps.netlify-deploy.outputs.deploy_url != ''
         uses: actions/github-script@v7
         with:
           script: |