From 72ef9fcbbb8b607e7bf365580a9d17dc5cd83bb0 Mon Sep 17 00:00:00 2001
From: keting <yinkt@zju.edu.cn>
Date: Wed, 20 May 2026 06:26:12 +0000
Subject: [PATCH] fix(ci): skip CodeQL gate wait on Dependabot PRs

The CodeQL Required gate polls for GitHub-managed Analyze check runs,
but the default setup does not emit them for Dependabot-authored pull
requests. The gate timed out (e.g. PR #120) even though the change was
only a lockfile bump that CodeQL would not analyze anyway.

Detect Dependabot PRs and skip the wait, mirroring the existing
fork-pull-request handling.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/codeql.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0c617b5..5efcda9 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -57,6 +57,9 @@ jobs:
             const isForkPullRequest = Boolean(
               pullRequest && pullRequest.head.repo.full_name !== pullRequest.base.repo.full_name,
             );
+            const isDependabotPullRequest = Boolean(
+              pullRequest && pullRequest.user?.login === 'dependabot[bot]',
+            );
             const requiredChecks = [];
 
             if (process.env.JS_CHANGED === 'true') {
@@ -81,6 +84,13 @@ jobs:
               return;
             }
 
+            if (isDependabotPullRequest) {
+              core.info(
+                `Skipping CodeQL gate for Dependabot pull request ${pullRequest.number}; GitHub-managed CodeQL default setup does not run Analyze on Dependabot-authored PRs.`,
+              );
+              return;
+            }
+
             const ref = context.payload.pull_request?.head?.sha || context.sha;
             const owner = context.repo.owner;
             const repo = context.repo.repo;