fix: skip dependency review when unsupported

mnaimfaizy · mnaimfaizy · commit 8242f3f79bf3 · 2026-04-06T18:44:03.000+10:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,15 +16,60 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Check dependency review API availability
+        id: dependency-review-availability
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          REPOSITORY: ${{ github.repository }}
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          response_file="$(mktemp)"
+          status_code="$(curl --silent --output "$response_file" --write-out '%{http_code}' \
+            -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+            -H "Accept: application/vnd.github+json" \
+            "https://api.github.com/repos/${REPOSITORY}/dependency-graph/compare/${BASE_SHA}...${HEAD_SHA}")"
+
+          if [ "$status_code" = "200" ]; then
+            echo "supported=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          if [ "$status_code" = "403" ] || [ "$status_code" = "404" ]; then
+            echo "supported=false" >> "$GITHUB_OUTPUT"
+            echo "status_code=$status_code" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          cat "$response_file"
+          echo "Unexpected dependency review API response: $status_code" >&2
+          exit 1
+
       - name: Checkout code
+        if: steps.dependency-review-availability.outputs.supported == 'true'
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Review dependency changes
+        if: steps.dependency-review-availability.outputs.supported == 'true'
         uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
         with:
           fail-on-severity: moderate
           fail-on-scopes: development, runtime, unknown
 
+      - name: Explain skipped dependency review
+        if: steps.dependency-review-availability.outputs.supported != 'true'
+        run: |
+          echo "::warning title=Dependency review skipped::GitHub dependency review is unavailable for this repository. Enable Dependency graph in repository settings to re-enable this check."
+          {
+            echo "## Dependency review skipped"
+            echo
+            echo "GitHub's dependency review API returned HTTP ${STATUS_CODE:-unknown} for this repository."
+            echo
+            echo "Enable Dependency graph in repository settings to re-enable actions/dependency-review-action."
+          } >> "$GITHUB_STEP_SUMMARY"
+        env:
+          STATUS_CODE: ${{ steps.dependency-review-availability.outputs.status_code }}
+
   secure-install-review:
     name: Secure Install Review
     runs-on: ubuntu-latest
