From 1d8c18f5325a7991145783b1034d533f0bc92ad0 Mon Sep 17 00:00:00 2001
From: Kemosabert <bert.coppens14@gmail.com>
Date: Wed, 28 Feb 2024 17:22:55 +0100
Subject: [PATCH] show message and early return when running on dependabot pr

---
 src/main.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/main.ts b/src/main.ts
index 0ceac9d..18880dd 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -51,6 +51,13 @@ async function run(): Promise<void> {
 			const redactedToken = '********************' + secretKey.slice(-4);
 			core.info(`starting a scan with secret key: "${redactedToken}"`);
 		}else{
+			const isLikelyDependabotPr = (startScanPayload.branch_name ?? '').starts_with('dependabot/')
+			if (isLikelyDependabotPr) {
+				core.info(`it looks like the action is running on a dependabot PR, this means that secret variables are not available in this context and thus we can not start a scan. Please see: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/`);
+				core.setOutput('outcome', STATUS_SUCCEEDED);
+				return;
+			}
+
 			core.info(`secret key not set.`);
 		}