From b9b0b26621f73885f05a053cac1a43545e7e58d8 Mon Sep 17 00:00:00 2001
From: Alain Kaeslin <alain@cloudscale.ch>
Date: Fri, 9 Jan 2026 17:08:33 +0100
Subject: [PATCH] ci: skip integration tests if CLOUDSCALE_API_TOKEN is missing

Dependabot PRs and PRs from forks do not have access to repository
secrets. This change ensures that the integration test job is skipped
when the API token is unavailable, preventing unnecessary build
failures while still allowing linting and unit tests to run.
---
 .github/workflows/ccm-integration-tests.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/ccm-integration-tests.yml b/.github/workflows/ccm-integration-tests.yml
index f5acd7c..23cc2e8 100644
--- a/.github/workflows/ccm-integration-tests.yml
+++ b/.github/workflows/ccm-integration-tests.yml
@@ -122,6 +122,14 @@ jobs:
   integration:
     name: "Kubernetes ${{ matrix.kubernetes }}"
     runs-on: ubuntu-latest
+    # Skip integration tests if the API token is missing (e.g., Dependabot or forks).
+    # Additionally, only run for PRs whose head repo matches this repository to
+    # avoid executing untrusted forked PR code with secrets.
+    # Admins can manually trigger this job for a specific branch via the 'Actions' tab
+    # using 'workflow_dispatch' after reviewing the code changes.
+    if: |
+      secrets.CLOUDSCALE_API_TOKEN != '' &&
+      (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
 
     needs:
       - lint