Merge pull request #34 from AikidoSec/feat/show-message-on-dependabot-pr

show message and early return when running on dependabot pr
AikidoSec · Feb 28, 2024 · 54dc298 · 54dc298
2 parents 101e7d4 + 1d8c18f
commit 54dc298
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/src/main.ts b/src/main.ts
@@ -51,6 +51,13 @@ async function run(): Promise<void> {
 			const redactedToken = '********************' + secretKey.slice(-4);
 			core.info(`starting a scan with secret key: "${redactedToken}"`);
 		}else{
+			const isLikelyDependabotPr = (startScanPayload.branch_name ?? '').starts_with('dependabot/')
+			if (isLikelyDependabotPr) {
+				core.info(`it looks like the action is running on a dependabot PR, this means that secret variables are not available in this context and thus we can not start a scan. Please see: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/`);
+				core.setOutput('outcome', STATUS_SUCCEEDED);
+				return;
+			}
+
 			core.info(`secret key not set.`);
 		}