fix(workflows): dependency-review fails on fork PRs due to missing fork-skip condition #1108
Description
The "Submit uv.lock dependencies" step in dependency-review.yml fails on fork PRs with HttpError: Resource not accessible by integration because the GITHUB_TOKEN for fork PRs is read-only, while the Dependency Submission API requires contents: write.
The step comment on line 26 states "Skipped on fork PRs (read-only token)" but no if: condition implements this skip. Same-repo PRs pass because they receive the elevated contents: write permission declared on the job.
Steps to Reproduce
- Open a PR from a fork (e.g., PR feat(security): add basic security reviewer agent with owasp skills #1008 from
JasonTheDeveloper/hve-core) - Observe the "Review Dependencies" check fails with 2 errors
Expected Behavior
The "Submit uv.lock dependencies" step should be skipped on fork PRs. The "Dependency Review" step should still run.
Actual Behavior
The step attempts the Dependency Submission API call, receives a 403, and fails the entire job.
Proposed Fix
Add a fork-detection condition to the step:
- name: Submit uv.lock dependencies
if: github.event.pull_request.head.repo.full_name == github.repository
uses: advanced-security/component-detection-dependency-submission-action@9c110eb34dee187cd9eca76a652b9f6a0ed22927 # v0.1.1
with:
detectorArgs: 'UvLock=EnableIfDefaultOff'Affected File
.github/workflows/dependency-review.yml (line 26-28)
Evidence
Failed run on PR #1008: HttpError: Resource not accessible by integration
All 29 other checks on the same PR pass. The same workflow passes on same-repo PRs (e.g., PR #1106).