From 3a299e9af6d402dd2fe04e8ea4129fa16bcfe790 Mon Sep 17 00:00:00 2001
From: Steven Serrata <sserrata@paloaltonetworks.com>
Date: Thu, 26 Mar 2026 10:09:24 -0400
Subject: [PATCH] fix(ci): route dependabot through gated analyze_unsafe path

Explicitly check for dependabot[bot] actor and set is-org-member-result
to false so Dependabot PRs flow through the analyze_unsafe job with the
environment approval gate rather than failing the Precheck step entirely.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/deploy-preview.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
index d31a307ff..d28df182f 100644
--- a/.github/workflows/deploy-preview.yml
+++ b/.github/workflows/deploy-preview.yml
@@ -17,6 +17,10 @@ jobs:
       - name: Check if actor is org member
         id: is-org-member
         run: |
+          if [ "${{ github.actor }}" = "dependabot[bot]" ]; then
+            echo "is-org-member-result=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
           status=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $GH_TOKEN" \
             https://api.github.com/orgs/PaloAltoNetworks/members/${{ github.actor }})
           if [ "$status" = "204" ]; then