From 08f305fad9fe76664630080dd4e9430e12cb3e21 Mon Sep 17 00:00:00 2001
From: Nicolas BOULEIN <nicolas.boulein@humanoid.fr>
Date: Mon, 30 Mar 2026 10:00:30 +0200
Subject: [PATCH 1/2] feat: add BYPASS_SECURITY option to composer-update
 workflow

Allow callers to pass `BYPASS_SECURITY: true` to skip the composer
security audit (`--no-audit`) during dependency updates.
---
 .github/workflows/composer-update.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/composer-update.yml b/.github/workflows/composer-update.yml
index 9f5f489..3f439a3 100644
--- a/.github/workflows/composer-update.yml
+++ b/.github/workflows/composer-update.yml
@@ -12,6 +12,11 @@ on:
         default: ""
         required: false
         type: string
+      BYPASS_SECURITY:
+        description: Bypass composer security audit during update
+        default: false
+        required: false
+        type: boolean
     secrets:
       COMPOSER_AUTH_JSON:
         description: Authentication for privately hosted packages and repositories as a JSON formatted object.
@@ -58,7 +63,7 @@ jobs:
           COMPOSER_CONFIG: ${{ vars.COMPOSER_CONFIG_JSON }}
           INSTALL_AND_CACHE: false
 
-      - run: composer update --no-interaction --no-scripts --prefer-dist --no-dev
+      - run: composer update --no-interaction --no-scripts --prefer-dist --no-dev ${{ inputs.BYPASS_SECURITY && '--no-audit' || '' }}
 
       - name: Generate composer diff
         id: composer_diff

From 295ef46335e06c124583281ebe315432dbd44847 Mon Sep 17 00:00:00 2001
From: Nicolas BOULEIN <nicolas.boulein@humanoid.fr>
Date: Mon, 30 Mar 2026 10:46:35 +0200
Subject: [PATCH 2/2] fix: disable composer block-insecure when BYPASS_SECURITY
 is enabled

--no-audit only skips the post-install audit report. The dependency
resolver still blocks packages with known vulnerabilities via the
audit.block-insecure config. Disable it explicitly when bypassing.
---
 .github/workflows/composer-update.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/composer-update.yml b/.github/workflows/composer-update.yml
index 3f439a3..ba78f61 100644
--- a/.github/workflows/composer-update.yml
+++ b/.github/workflows/composer-update.yml
@@ -63,6 +63,10 @@ jobs:
           COMPOSER_CONFIG: ${{ vars.COMPOSER_CONFIG_JSON }}
           INSTALL_AND_CACHE: false
 
+      - name: Disable composer security block
+        if: ${{ inputs.BYPASS_SECURITY }}
+        run: composer config audit.block-insecure false
+
       - run: composer update --no-interaction --no-scripts --prefer-dist --no-dev ${{ inputs.BYPASS_SECURITY && '--no-audit' || '' }}
 
       - name: Generate composer diff