ci(dependabot-triage): Add outcome step

.agents/skills/fix-security-vulnerability/SKILL.md

@@ -54,7 +54,7 @@ Invoked as `--ci <category> <n1> <n2> ...`. The caller also supplies **alert det
 gh pr list --repo getsentry/sentry-javascript --head bot/dependabot-fixes-<category> --state open --json number
 ```
 
-If an open PR already exists for this branch, **stop immediately** and report `SKIPPED: open <category> fix PR already exists`. Do not create a second one — it will be refreshed on the next run after the current one merges.
+If an open PR already exists for this branch, write the run result (**CI Step 5**) with outcome `SKIPPED (open PR already exists)` and **stop**. Do not create a second one — it will be refreshed on the next run after the current one merges.
 
 ### CI Step 2: Create the branch
 
@@ -94,7 +94,7 @@ Never use `resolutions`; if that is the only option, skip the alert (record unde
 
 ### CI Step 4: Open one PR (only if at least one fix was committed)
 
-If **no** commits were made (everything skipped or already fixed), report `NOTHING TO FIX (<category>)` and stop.
+If **no** commits were made (everything skipped or already fixed), write the run result (**CI Step 5**) with outcome `NOTHING TO FIX` and **stop**.
 
 Otherwise, write the PR body to a file with the **Write tool** (not Bash redirection, and not `$(...)` — those are blocked / would mis-parse the backticks in the markdown), then push and open the PR. Use `--force` on the push so a stale remote branch from a prior run is overwritten cleanly:
 
@@ -125,7 +125,29 @@ Otherwise, write the PR body to a file with the **Write tool** (not Bash redirec
    gh pr create --repo getsentry/sentry-javascript --base develop --head bot/dependabot-fixes-<category> --title "fix(deps): <category> dependency security fixes" --body-file pr-body-<category>.md
    ```
 
-Write `pr-body-<category>.md` **after** the Step 3 commits so it is never staged by `git add -A`. Report `OPENED: <PR-url>` and stop.
+Write `pr-body-<category>.md` **after** the Step 3 commits so it is never staged by `git add -A`. Then write the run result (**CI Step 5**) with outcome `OPENED <PR-url>` and **stop**.
+
+### CI Step 5: Always write the run result (job summary)
+
+As your **final action in every path above** — `SKIPPED`, `NOTHING TO FIX`, or `OPENED` — write `fix-result-<category>.md` with the **Write tool**. The workflow appends this to the job summary, so a run that opens no PR is never ambiguous (it states _why_). Format:
+
+```markdown
+## <category> fix run
+
+**Outcome:** <one of: `OPENED <PR-url>` | `NOTHING TO FIX` | `SKIPPED (open PR already exists)`>
+
+### Fixed
+
+- `<package>` <old-version> → <new-version> — <GHSA-or-CVE> — <html_url>
+- ... (or "None.")
+
+### Needs human (not auto-fixable)
+
+- `<package>` — <reason, e.g. "major bump required" / "deep transitive, no clean parent bump"> — <html_url>
+- ... (omit this section if nothing was skipped)
+```
+
+This file is the single source of truth for what the run decided — write it even when you open no PR.
 
 ## Scan All Workflow
 

.github/workflows/dependabot-auto-triage.yml

@@ -195,6 +195,21 @@ jobs:
           claude_args: |
             --max-turns 80 --allowedTools "Write,Bash(gh pr list *),Bash(gh pr create *),Bash(git checkout *),Bash(git pull *),Bash(git add *),Bash(git commit *),Bash(git push --force -u origin bot/dependabot-fixes-*),Bash(npx yarn-update-dependency@0.7.1 *),Bash(yarn dedupe-deps:check),Bash(yarn dedupe-deps:fix),Bash(yarn why *),Bash(npm view *)"
 
+      # Surface the skill's outcome so a no-PR run is never ambiguous. A missing file means the skill
+      # didn't report (errored / ran out of turns) — distinct from a reported "NOTHING TO FIX".
+      - name: Post runtime fix result to job summary
+        if: always()
+        run: |
+          if [ -f fix-result-runtime.md ]; then
+            cat fix-result-runtime.md >> "$GITHUB_STEP_SUMMARY"
+          else
+            {
+              echo "## runtime fix run"
+              echo ""
+              echo "⚠️ No \`fix-result-runtime.md\` was produced — the skill did not report an outcome (likely an error or turn-limit). Check this job's log."
+            } >> "$GITHUB_STEP_SUMMARY"
+          fi
+
   fix-dev:
     name: Open dev fix PR
     needs: classify
@@ -254,3 +269,16 @@ jobs:
             Do NOT use Bash redirection (> file).
           claude_args: |
             --max-turns 80 --allowedTools "Write,Bash(gh pr list *),Bash(gh pr create *),Bash(git checkout *),Bash(git pull *),Bash(git add *),Bash(git commit *),Bash(git push --force -u origin bot/dependabot-fixes-*),Bash(npx yarn-update-dependency@0.7.1 *),Bash(yarn dedupe-deps:check),Bash(yarn dedupe-deps:fix),Bash(yarn why *),Bash(npm view *)"
+
+      - name: Post dev fix result to job summary
+        if: always()
+        run: |
+          if [ -f fix-result-dev.md ]; then
+            cat fix-result-dev.md >> "$GITHUB_STEP_SUMMARY"
+          else
+            {
+              echo "## dev fix run"
+              echo ""
+              echo "⚠️ No \`fix-result-dev.md\` was produced — the skill did not report an outcome (likely an error or turn-limit). Check this job's log."
+            } >> "$GITHUB_STEP_SUMMARY"
+          fi

.gitignore

@@ -78,6 +78,7 @@ noise.json
 fix-candidates-runtime.json
 fix-candidates-dev.json
 pr-body-*.md
+fix-result-*.md
 
 # Environment variables
 .env