chore: Skip CD pipelines on Depandabot's PRs

.github/workflows/cd.yml

@@ -30,8 +30,8 @@ jobs:
   build-and-push-artifacts:
     name: Build and push artifacts for Python ${{ matrix.python_version }}
     runs-on: ubuntu-latest
-    # Only run for base repo, not forks
-    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
+    # Only run for base repo, not forks or dependabot
+    if: (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request') && github.actor != 'dependabot[bot]'
     strategy:
       fail-fast: false
       matrix:
@@ -122,8 +122,8 @@ jobs:
     name: All artifacts pushed
     runs-on: ubuntu-latest
     needs: build-and-push-artifacts
-    # Only run if the build job ran (i.e., not for forks)
-    if: always() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
+    # Only run if the build job ran (i.e., not for forks or dependabot)
+    if: always() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request') && github.actor != 'dependabot[bot]'
     steps:
       - name: Check matrix job results
         env:
@@ -144,8 +144,8 @@ jobs:
   publish-python-package:
     name: Publish Python package
     runs-on: ubuntu-latest
-    # Only run for base repo, not forks
-    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
+    # Only run for base repo, not forks or dependabot
+    if: (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request') && github.actor != 'dependabot[bot]'
     outputs:
       version: ${{ steps.build.outputs.version }}
     permissions:
@@ -284,8 +284,8 @@ jobs:
     name: Publish to PyPI
     runs-on: ubuntu-latest
     needs: publish-python-package
-    # Only run for base repo when a new tag is created
-    if: (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request') && startsWith(github.ref, 'refs/tags/')
+    # Only run for base repo when a new tag is created, not for dependabot
+    if: (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request') && startsWith(github.ref, 'refs/tags/') && github.actor != 'dependabot[bot]'
     permissions:
       contents: read
       id-token: write
@@ -308,8 +308,8 @@ jobs:
     name: Deploy review app
     runs-on: ubuntu-latest
     needs: build-and-push-artifacts-status
-    # Only run for base repo PRs, not forks
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
+    # Only run for base repo PRs, not forks or dependabot
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout code
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
@@ -353,8 +353,8 @@ jobs:
     name: Jupyter for local
     runs-on: ubuntu-latest
     needs: build-and-push-artifacts-status
-    # Only run for base repo, not forks
-    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
+    # Only run for base repo, not forks or dependabot
+    if: (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request') && github.actor != 'dependabot[bot]'
     permissions:
       id-token: write
       contents: read

.github/workflows/ci.yml

@@ -217,6 +217,8 @@ jobs:
   gitleaks:
     name: Gitleaks check
     runs-on: ubuntu-latest
+    # Only run for base repo, not forks
+    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
     steps:
       - name: Checkout code
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4