Don't run preview deployments for Dependabot PRs

They don't have access to the credentials needed for deployment (because the updated dependencies could exploit those).
mozilla · May 17, 2024 · c89b429 · c89b429
1 parent e5eab85
commit c89b429
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/.github/workflows/preview_deploy_gcp.yml b/.github/workflows/preview_deploy_gcp.yml
@@ -14,6 +14,10 @@ jobs:
   deploy:
     permissions: 
       pull-requests: write
+    # Secrets aren't available for Dependabot PR (because the updated
+    # dependencies might abuse them), so they don't have enough rights to
+    # do a preview deployment:
+    if: github.actor != 'dependabot[bot]'
     runs-on: ubuntu-latest
     steps:
     - name: Checkout

diff --git a/.github/workflows/preview_deploy_gcp_cleanup.yml b/.github/workflows/preview_deploy_gcp_cleanup.yml
@@ -16,6 +16,10 @@ jobs:
   deploy:
     permissions: 
       pull-requests: write
+    # Secrets aren't available for Dependabot PR (because the updated
+    # dependencies might abuse them), so they don't have enough rights to
+    # do a preview deployment:
+    if: github.actor != 'dependabot[bot]'
     runs-on: ubuntu-latest
     steps:
     - name: Setup Cloud SDK