fix(ci): #540 — skip key-dependent steps on dependabot PRs

[Knapp-Kevin]

What

Stop dependabot PRs from hard-failing on auth-gated CI checks they structurally can't pass. Closes #540.

Dependabot-triggered PRs run with Secret source: Dependabot and don't receive the ci-test environment's ANTHROPIC_API_KEY. Diagnosed via /qor-debug on #522: the sigstore bump resolved cleanly (pip → sigstore 4.2.0, no conflict; repo usage is stub-only) — both red checks were purely the missing key. #523 (cocoindex) and #417 (bm25s) fail for the same reason.

How (gating-as-observability — same family as #537/#539)

Skip only the key-dependent steps when github.actor == 'dependabot[bot]', step-level (not job-level) so the required checks still report green rather than skipped/blocked:

• test-mcp-regression.yml: M2 grounding-recall, M_skill_preflight Step-0, Step-1.
• v0-user-flow-e2e.yml (assertions job): the API-key visibility probe + the e2e run step.

Preserved on dependabot runs: dependency install, the full pytest suite, and the deterministic gates (M_shadow_parity, M_surrealql_coverage) — i.e. the real signal that a bump didn't break anything.

Verification

Both workflows pass yaml.safe_load. Real verification is re-running a dependabot PR (#522/#523/#417) against this branch once merged — the auth steps should skip and the checks go green. No unit-testable surface (workflow-only change).

Notes

• Targets dev (where the dependabot PRs are based).
• Do not merge — agent-needs-human.
• Complementary option (not done here): mirror ANTHROPIC_API_KEY into Dependabot secrets to let the gates run normally instead of skipping.

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7087944d-baef-4070-b0ed-206eff1be4e6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependabot-auth-gate-degradation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jinhongkuan]

Closing during PR hygiene as stale and likely superseded by the newer CI policy direction. Issue #540 should be reassessed after #539 and the merged Dependabot bump path; open a fresh PR only if Dependabot still fails required deterministic checks. Avoid adding broad skips unless the remaining failure is truly key-dependent and advisory-only.