ci: gate optional publish/notify jobs behind repository variables

[d-cs]

Summary

Several optional workflow jobs fail on forks and private mirrors that lack org-specific secrets or registry permissions. This adds per-job repository-variable gates so those deployments can switch them off without editing workflows — matching the pattern from #3901 (ENABLE_CLAUDE_CODE / ENABLE_WORKFLOW_SECURITY_SCAN).

Two variables, both default-enabled (a job runs unless its variable is explicitly 'false'), so canonical-repo behaviour is unchanged where the variables are unset:

ENABLE_HELM_PRERELEASE — gates the chart-publish jobs that push to oci://ghcr.io/<owner>/charts (needs write_package on the owner's charts namespace):

• helm-prerelease.yml → prerelease job

• release-helm.yml → release job

  Without the permission these fail with 403: denied: permission_denied: write_package on every PR / helm-v* tag. The lint-and-test jobs (lint + template + kubeconform, no push) always run, so chart validity is still enforced everywhere.

ENABLE_DEPENDABOT_ALERTS — gates the Dependabot notifier crons that need DEPENDABOT_ALERTS_TOKEN / SLACK_BOT_TOKEN and post to a specific Slack:

• dependabot-critical-alerts.yml → alert job (daily cron)

• dependabot-weekly-summary.yml → summary job (weekly cron)

  On a fork/mirror these otherwise fire on schedule and fail (or post nowhere) indefinitely.

Test plan

• Variables unset (default): all jobs run as today.
• ENABLE_HELM_PRERELEASE=false: helm lint-and-test runs, publish jobs skip — no 403 on repos lacking write_package.
• ENABLE_DEPENDABOT_ALERTS=false: the two cron jobs skip cleanly (neutral, not failed).

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5cc93f7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 49bebb96-8b04-4f3d-8697-0b71ccae9708

📥 Commits

Reviewing files that changed from the base of the PR and between 3f62dcb and 5cc93f7.

📒 Files selected for processing (3)

• .github/workflows/dependabot-critical-alerts.yml
• .github/workflows/dependabot-weekly-summary.yml
• .github/workflows/release-helm.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (actions)

🔇 Additional comments (3)

.github/workflows/release-helm.yml (1)

66-70: LGTM!

.github/workflows/dependabot-critical-alerts.yml (1)

28-31: LGTM!

.github/workflows/dependabot-weekly-summary.yml (1)

22-25: LGTM!

---

Walkthrough

Four GitHub Actions workflow jobs now conditionally execute based on repository variables. The prerelease job in helm-prerelease.yml and the release job in release-helm.yml skip execution when vars.ENABLE_HELM_PRERELEASE equals 'false'. The alert job in dependabot-critical-alerts.yml and the summary job in dependabot-weekly-summary.yml skip execution when vars.ENABLE_DEPENDABOT_ALERTS equals 'false'. Existing event-based conditions on Helm jobs remain unchanged. Inline documentation explains the default enabled behavior and how to disable via repository variables.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is missing several required template sections: the Closes issue reference, completed checklist, and the structured Changelog section.	Add the issue reference (Closes #), complete the checklist items, and include a concise Changelog section summarizing what changed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding repository variable gates to optional CI publish/notify jobs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/gate-helm-prerelease-behind-variable

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[devin-ai-integration]

Devin Review found 1 new potential issue.