Skip Neon preview branch jobs when PR secrets are unavailable

.github/workflows/neon-preview-branches.yml

@@ -16,11 +16,30 @@ jobs:
     name: Setup
     outputs:
       branch: ${{ steps.branch_name.outputs.current_branch }}
+      neon_enabled: ${{ steps.neon_guard.outputs.enabled }}
     runs-on: ubuntu-latest
     steps:
       - name: Get branch name
         id: branch_name
         uses: tj-actions/branch-names@v8
+      - name: Check Neon preview availability
+        id: neon_guard
+        env:
+          NEON_API_KEY: ${{ secrets.NEON_API_KEY }}
+          NEON_PROJECT_ID: ${{ vars.NEON_PROJECT_ID }}
+          WORKFLOW_ACTOR: ${{ github.actor }}
+        run: |
+          enabled=true
+
+          if [ -z "$NEON_API_KEY" ] || [ -z "$NEON_PROJECT_ID" ]; then
+            enabled=false
+            echo "Skipping Neon preview jobs because repository Neon credentials are unavailable."
+          elif [ "$WORKFLOW_ACTOR" = "dependabot[bot]" ]; then
+            enabled=false
+            echo "Skipping Neon preview jobs for Dependabot pull requests because secrets are not exposed."
+          fi
+
+          echo "enabled=$enabled" >> "$GITHUB_OUTPUT"
 
   create_neon_branch:
     name: Create Neon Branch
@@ -29,7 +48,7 @@ jobs:
       db_url_with_pooler: ${{ steps.create_neon_branch_encode.outputs.db_url_with_pooler }}
     needs: setup
     if: |
-      github.event_name == 'pull_request' && (
+      needs.setup.outputs.neon_enabled == 'true' && github.event_name == 'pull_request' && (
       github.event.action == 'synchronize'
       || github.event.action == 'opened'
       || github.event.action == 'reopened')
@@ -86,7 +105,7 @@ jobs:
   delete_neon_branch:
     name: Delete Neon Branch
     needs: setup
-    if: github.event_name == 'pull_request' && github.event.action == 'closed'
+    if: needs.setup.outputs.neon_enabled == 'true' && github.event_name == 'pull_request' && github.event.action == 'closed'
     runs-on: ubuntu-latest
     steps:
       - name: Delete Neon Branch

GITHUB_ACTIONS_SETUP.md

@@ -317,6 +317,14 @@ neonctl branches delete --project-id YOUR_PROJECT_ID preview/pr-123-old
 3. Update GitHub Secret: `NEON_API_KEY`
 4. Re-run workflow
 
+### Workflow Is Skipped on Dependabot PRs
+
+**Cause**: GitHub does not expose repository secrets to Dependabot-triggered `pull_request` workflows.
+
+**Fix**:
+1. Treat this as expected behavior for Dependabot PRs
+2. If you want Neon preview branches on non-Dependabot PRs, verify both `NEON_API_KEY` and `NEON_PROJECT_ID` are configured
+
 ### Branch Already Exists
 
 **Cause**: Previous workflow didn't clean up

docs/neon-preview-workflow.md

@@ -229,6 +229,18 @@ Use Vercel's API to set environment variables for preview deployment:
 2. Check API key has sufficient permissions
 3. Regenerate API key if needed
 
+### Workflow Skips Neon Jobs on Dependabot or Unconfigured PRs
+
+**Behavior**: `create_neon_branch` and `delete_neon_branch` are skipped instead of failing.
+
+**Why it happens**:
+1. GitHub does not expose repository secrets to Dependabot-triggered `pull_request` workflows
+2. The repository is missing `NEON_API_KEY` or `NEON_PROJECT_ID`
+
+**What to do**:
+1. No action is required for Dependabot PRs; skipping is expected
+2. For regular PRs, add `NEON_API_KEY` and `NEON_PROJECT_ID` in repository Actions settings if Neon preview branches should run
+
 ### Branch Already Exists
 
 **Error**: `Branch already exists`