feat(ci): run integration tests on Dependabot PRs

.github/workflows/dependabot-integration.yml

@@ -0,0 +1,57 @@
+name: Dependabot Integration Tests
+
+# Dependabot-triggered runs are sandboxed by GitHub: a read-only GITHUB_TOKEN and
+# access only to the *Dependabot* secrets store — Actions secrets and variables
+# resolve to empty strings, and this holds for pull_request and pull_request_target
+# alike (the restriction keys on the PR author being dependabot[bot], not on the
+# trigger). So the normal Integration Tests workflow skips every credentialed
+# scenario on a bump and reports green without testing anything.
+#
+# This job runs the real suite for Dependabot bumps by reading all four test
+# credentials from `secrets.*`, which on a Dependabot run resolve to the
+# Dependabot store. They must be set there:
+#   Settings -> Secrets and variables -> Dependabot
+#     HOTDATA_SDK_TEST_API_URL
+#     HOTDATA_SDK_TEST_API_KEY
+#     HOTDATA_SDK_TEST_WORKSPACE_ID
+#     HOTDATA_SDK_TEST_CONNECTION_ID
+# The non-secret three live in `vars` for normal runs but ride along here as
+# secrets because Dependabot has no variables store. The guard below fails the
+# job loudly if a credential is missing, so it can never pass green while
+# silently skipping every scenario.
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: dependabot-integration-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  integration:
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    env:
+      HOTDATA_SDK_TEST_API_URL: ${{ secrets.HOTDATA_SDK_TEST_API_URL }}
+      HOTDATA_SDK_TEST_API_KEY: ${{ secrets.HOTDATA_SDK_TEST_API_KEY }}
+      HOTDATA_SDK_TEST_WORKSPACE_ID: ${{ secrets.HOTDATA_SDK_TEST_WORKSPACE_ID }}
+      HOTDATA_SDK_TEST_CONNECTION_ID: ${{ secrets.HOTDATA_SDK_TEST_CONNECTION_ID }}
+    steps:
+      - name: Require Dependabot credentials
+        run: |
+          test -n "$HOTDATA_SDK_TEST_API_KEY" || { echo "::error::HOTDATA_SDK_TEST_API_KEY is empty — set it as a *Dependabot* secret (Settings -> Secrets and variables -> Dependabot)."; exit 1; }
+          test -n "$HOTDATA_SDK_TEST_WORKSPACE_ID" || { echo "::error::HOTDATA_SDK_TEST_WORKSPACE_ID is empty — set it as a *Dependabot* secret."; exit 1; }
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
+      # No cargo cache: building the bumped crate runs its build scripts, so we
+      # never persist a cache a later trusted run could restore.
+      - name: Run integration tests
+        # --no-fail-fast runs every scenario binary even after one fails, so a
+        # red run surfaces all failing scenarios at once.
+        run: cargo test --test '*' --no-fail-fast -- --nocapture

.github/workflows/integration-tests.yml

@@ -68,6 +68,10 @@ jobs:
   # aren't injected), so this job stays green without credentials.
   integration:
     runs-on: ubuntu-latest
+    # Dependabot runs can't read these Actions secrets/vars, so the suite would
+    # skip every scenario and pass green. The dedicated Dependabot Integration
+    # Tests workflow runs the real suite via the Dependabot secrets store instead.
+    if: github.event.pull_request.user.login != 'dependabot[bot]'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Install Rust