amcheste · amcheste · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026
@@ -0,0 +1 @@
+* @amcheste
@@ -98,24 +98,11 @@ jobs:
           git checkout -b "$BRANCH"
           git push origin "$BRANCH"
 
+          printf '## Monthly dependency patch — v%s\n\nThis PR was opened automatically. It bumps the patch version to capture\n**%s Dependabot update(s)** merged to `develop` since the last release.\n\n## What to do\n1. Review the dependency commits included in this release\n2. Merge this PR into `develop`\n3. Promote `develop`→`main` via CLI merge (or run `/publish-release`)\n4. Push the tag to trigger the release pipeline\n\n> **Note:** CI will not auto-run on this PR due to GitHub token restrictions.\n> All dependency changes were individually validated by CI when Dependabot\n> merged them to `develop`. Trigger CI manually if you want an extra check.\n' \
+            "${NEW_VERSION}" "${DEP_COUNT}" > /tmp/pr-body.md
+
           gh pr create \
             --base develop \
             --head "$BRANCH" \
             --title "chore: release v${NEW_VERSION} (monthly dependency patch)" \
-            --body "$(cat <<EOF
-## Monthly dependency patch — v${NEW_VERSION}
-
-This PR was opened automatically. It bumps the patch version to capture
-**${DEP_COUNT} Dependabot update(s)** merged to \`develop\` since the last release.
-
-## What to do
-1. Review the dependency commits included in this release
-2. Merge this PR into \`develop\`
-3. Open the \`develop\`→\`main\` release PR (or run \`/publish-release\`)
-4. Push the tag to trigger the release pipeline
-
-> **Note:** CI will not auto-run on this PR due to GitHub token restrictions.
-> All dependency changes were individually validated by CI when Dependabot
-> merged them to \`develop\`. Trigger CI manually if you want an extra check.
-EOF
-)"
+            --body-file /tmp/pr-body.md
@@ -29,6 +29,7 @@ jobs:
           generateSarif: "1"
 
       - uses: github/codeql-action/upload-sarif@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3
-        if: always() && github.event_name != 'pull_request'
+        if: always() && github.ref == 'refs/heads/main'
+        continue-on-error: true
         with:
           sarif_file: semgrep.sarif
@@ -5,7 +5,7 @@ on:
   schedule:
     - cron: '30 1 * * 1'  # Every Monday at 01:30 UTC
   push:
-    branches: [main, develop]
+    branches: [main]
   workflow_dispatch:
 
 permissions: read-all
@@ -14,6 +14,7 @@ jobs:
   analysis:
     name: Scorecard Analysis
     runs-on: ubuntu-latest
+    continue-on-error: true  # Scorecard requires a public repo — fails silently on private repos
     permissions:
       security-events: write
       id-token: write
@@ -38,5 +39,7 @@ jobs:
           retention-days: 5
 
       - uses: github/codeql-action/upload-sarif@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v4
+        if: github.ref == 'refs/heads/main'
+        continue-on-error: true
         with:
           sarif_file: results.sarif