From 58628e555d89b0268e9bc2041c5dbf518b8cd0cf Mon Sep 17 00:00:00 2001
From: jrfnl <jrfnl@users.noreply.github.com>
Date: Sat, 15 Jul 2023 13:26:59 +0200
Subject: [PATCH] GH Actions: special case Dependabot PRs for Coveralls

Follow up on PR 468.

Turns out Dependabot PRs do not have access to secrets with the exception of (read-only) access to the `GITHUB_TOKEN`.

As the coverage test runs and the Coveralls status are required builds, this blocks Dependabot PRs from being merged without overruling the required statuses.

As I'd like to avoid that situation, I'm special casing Dependabot PRs for the token selection.

Refs:
* https://github.com/lemurheavy/coveralls-public/issues/1721
* https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events
---
 .github/workflows/test.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 40422292..6e37f2e9 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -366,7 +366,9 @@ jobs:
       - name: Upload coverage results to Coveralls
         if: ${{ success() }}
         env:
-          COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_TOKEN }}
+          # Dependabot does not have access to secrets, other than the GH token.
+          # Ref: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
+          COVERALLS_REPO_TOKEN: ${{ github.actor != 'dependabot[bot]' || "secrets.COVERALLS_TOKEN" && "secrets.GITHUB_TOKEN" }}
           COVERALLS_PARALLEL: true
           COVERALLS_FLAG_NAME: php-${{ matrix.php }}-phpcs-${{ matrix.phpcs_version }}
         run: php-coveralls -v -x build/logs/clover.xml
@@ -381,5 +383,7 @@ jobs:
       - name: Coveralls Finished
         uses: coverallsapp/github-action@v2
         with:
-          github-token: ${{ secrets.COVERALLS_TOKEN }}
+          # Dependabot does not have access to secrets, other than the GH token.
+          # Ref: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
+          github-token: ${{ github.actor != 'dependabot[bot]' || "secrets.COVERALLS_TOKEN" && "secrets.GITHUB_TOKEN" }}
           parallel-finished: true