ci: gate Dependabot notifiers and Helm release publish behind repository variables

d-cs · claude · d-cs · commit 5cc93f741bb5 · 2026-06-15T12:30:09.000+01:00
Extends the helm-prerelease gate to the other optional jobs that fail on
forks/mirrors lacking org-specific secrets or registry permissions:

- ENABLE_DEPENDABOT_ALERTS gates the daily critical-alerts and weekly
  summary crons (need DEPENDABOT_ALERTS_TOKEN / SLACK_BOT_TOKEN).
- ENABLE_HELM_PRERELEASE also gates release-helm's publish (same GHCR
  write_package requirement as the prerelease job).

All default to enabled, so canonical-repo behaviour is unchanged; a job
runs unless its variable is explicitly 'false'.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/dependabot-critical-alerts.yml b/.github/workflows/dependabot-critical-alerts.yml
@@ -25,6 +25,10 @@ permissions:
 jobs:
   alert:
     name: Post critical alerts
+    # Set the ENABLE_DEPENDABOT_ALERTS repository variable to 'false' to turn off
+    # the Dependabot alert/summary notifiers — e.g. forks/mirrors that lack the
+    # DEPENDABOT_ALERTS_TOKEN / SLACK_BOT_TOKEN secrets. Defaults to enabled.
+    if: ${{ vars.ENABLE_DEPENDABOT_ALERTS != 'false' }}
     runs-on: ubuntu-latest
     environment: dependabot-summary
     env:
diff --git a/.github/workflows/dependabot-weekly-summary.yml b/.github/workflows/dependabot-weekly-summary.yml
@@ -19,6 +19,10 @@ permissions:
 jobs:
   summary:
     name: Post weekly Dependabot summary
+    # Set the ENABLE_DEPENDABOT_ALERTS repository variable to 'false' to turn off
+    # the Dependabot alert/summary notifiers — e.g. forks/mirrors that lack the
+    # DEPENDABOT_ALERTS_TOKEN / SLACK_BOT_TOKEN secrets. Defaults to enabled.
+    if: ${{ vars.ENABLE_DEPENDABOT_ALERTS != 'false' }}
     runs-on: ubuntu-latest
     environment: dependabot-summary
     env:
diff --git a/.github/workflows/release-helm.yml b/.github/workflows/release-helm.yml
@@ -63,6 +63,11 @@ jobs:
 
   release:
     needs: lint-and-test
+    # Set the ENABLE_HELM_PRERELEASE repository variable to 'false' to turn off
+    # publishing the chart to GHCR — e.g. forks/mirrors that lack write_package
+    # on the owner's charts namespace. Defaults to enabled; the lint-and-test
+    # job above always runs regardless.
+    if: ${{ vars.ENABLE_HELM_PRERELEASE != 'false' }}
     runs-on: ubuntu-latest
     permissions:
       contents: write # for gh-release
