SocketDev · lelia · Jun 3, 2026
@@ -104,3 +104,34 @@ jobs:
         env:
           SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }}
         run: bash ${{ matrix.validate }}
+
+  # Branch protection requires the e2e-* checks, but the `e2e` job above is
+  # skipped on PRs that can't access repository secrets -- fork PRs and
+  # Dependabot PRs. A job skipped via a job-level `if` never expands its
+  # matrix, so the e2e-* check contexts are never created and the required
+  # checks sit at "Expected -- Waiting for status to be reported" forever,
+  # permanently blocking merge.
+  #
+  # This bypass reports a green status under the SAME e2e-* check names for
+  # exactly those PRs, satisfying branch protection without running the real
+  # tests (which need SOCKET_CLI_API_TOKEN). Its `if` is the precise negation
+  # of the e2e job's run condition, so the two are mutually exclusive: any
+  # given PR runs one or the other, never both, and never neither.
+  #
+  # Dependency-bump risk on these PRs is still covered by dependency-review.yml's
+  # Socket Firewall smoke jobs, which run without repository secrets.
+  e2e-bypass:
+    if: >-
+      github.event_name == 'pull_request' &&
+      (github.event.pull_request.head.repo.full_name != github.repository ||
+        github.event.pull_request.user.login == 'dependabot[bot]')
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        name: [scan, sarif, reachability, gitlab, json, pypi]
+    name: e2e-${{ matrix.name }}
+    steps:
+      - name: Report skip status
+        run: |
+          echo "Skipping e2e-${{ matrix.name }} for a PR without repository secrets"
+          echo "(fork or Dependabot). Dependency risk is covered by dependency-review.yml."