Skip Neon preview branch jobs when PR secrets are unavailable

[Copilot]

Dependabot pull_request runs were failing in Create Neon Branch because NEON_API_KEY is not exposed to those workflows. As a result, the Neon preview workflow turned expected secret restrictions into hard CI failures.

• Workflow guard

  • Added a setup-time gate in .github/workflows/neon-preview-branches.yml that computes whether Neon preview jobs should run.
  • The workflow now skips Neon branch creation/deletion when:
    • NEON_API_KEY or NEON_PROJECT_ID is missing
    • the PR actor is dependabot[bot]

• Job conditions

  • Updated both create_neon_branch and delete_neon_branch to depend on the computed neon_enabled output instead of assuming secrets are always available.
  • This preserves current behavior for normal PRs with configured Neon credentials while preventing false-negative workflow failures.

• Docs

  • Updated the Neon workflow docs to describe the new skip behavior for Dependabot and unconfigured repositories, so skipped jobs are understood as intentional rather than broken.

Example of the new guard:

if [ -z "$NEON_API_KEY" ] || [ -z "$NEON_PROJECT_ID" ]; then
  enabled=false
elif [ "$WORKFLOW_ACTOR" = "dependabot[bot]" ]; then
  enabled=false
fi

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
q-pyth	Ready	Preview, Comment	Apr 4, 2026 3:09pm

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

This PR makes the Neon preview branch workflow resilient to GitHub’s secret restrictions (notably Dependabot pull_request runs) by adding an explicit guard that skips Neon create/delete jobs when credentials aren’t available, and documents the intended skip behavior.

Changes:

• Add a setup-time neon_enabled gate that detects missing NEON_API_KEY / NEON_PROJECT_ID and Dependabot actors.
• Update create_neon_branch and delete_neon_branch job conditions to run only when neon_enabled is true.
• Document the new “skipped by design” behavior in workflow setup/troubleshooting docs.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/neon-preview-branches.yml	Adds neon_enabled output guard and uses it to conditionally run Neon create/delete jobs.
docs/neon-preview-workflow.md	Documents that Neon jobs are skipped (not failed) for Dependabot or missing credentials.
GITHUB_ACTIONS_SETUP.md	Adds troubleshooting guidance explaining Dependabot secret limitations and expected skips.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The Dependabot-specific skip message is currently unreachable when secrets are not exposed: for Dependabot PRs, NEON_API_KEY will be empty, so the first if branch fires and logs "credentials are unavailable" instead of the Dependabot explanation. Consider checking WORKFLOW_ACTOR == dependabot[bot] first (or using separate if blocks) so the logs accurately describe why the jobs are skipped.

Suggested change

	if [ -z "$NEON_API_KEY" ] || [ -z "$NEON_PROJECT_ID" ]; then
	enabled=false
	echo "Skipping Neon preview jobs because repository Neon credentials are unavailable."
	elif [ "$WORKFLOW_ACTOR" = "dependabot[bot]" ]; then
	enabled=false
	echo "Skipping Neon preview jobs for Dependabot pull requests because secrets are not exposed."
	if [ "$WORKFLOW_ACTOR" = "dependabot[bot]" ]; then
	enabled=false
	echo "Skipping Neon preview jobs for Dependabot pull requests because secrets are not exposed."
	elif [ -z "$NEON_API_KEY" ] || [ -z "$NEON_PROJECT_ID" ]; then
	enabled=false
	echo "Skipping Neon preview jobs because repository Neon credentials are unavailable."

[Copilot]

This troubleshooting step says to add both NEON_API_KEY and NEON_PROJECT_ID in "repository Actions settings", but earlier in the doc NEON_API_KEY is a Secret while NEON_PROJECT_ID is a Repository Variable. Suggest explicitly calling out "Secrets and variables" (and which one goes where) to avoid misconfiguration.

Suggested change

	2. For regular PRs, add `NEON_API_KEY` and `NEON_PROJECT_ID` in repository Actions settings if Neon preview branches should run
	2. For regular PRs, add `NEON_API_KEY` as a repository Actions **Secret** and `NEON_PROJECT_ID` as a repository Actions **Variable** if Neon preview branches should run