Skip to content

Skip AI code review on Dependabot PRs#54

Open
arunshenoy99 wants to merge 1 commit into
mainfrom
fix/PRESS0-4266-pt-1
Open

Skip AI code review on Dependabot PRs#54
arunshenoy99 wants to merge 1 commit into
mainfrom
fix/PRESS0-4266-pt-1

Conversation

@arunshenoy99

Copy link
Copy Markdown
Member

Why

Follow-up to scheduled Dependabot auto-merge.

The Review PR diff AI code-review check hard-fails on every Dependabot PR with Missing required secret: CLOUDFLARE_ACCOUNT_ID. GitHub withholds repository secrets from Dependabot-context runs, so the Cloudflare AI gateway secrets are empty and the reusable review workflow errors out.

Because the auto-merge gate requires all checks to be green, that permanently red check blocks auto-merge for all Dependabot PRs.

What

Guard the AI-review job on github.actor != 'dependabot[bot]' so it is skipped on Dependabot PRs. A skipped job counts as passing, so it no longer blocks auto-merge, and we don't spend AI-gateway quota reviewing dependency bumps.

No change to behavior on human/fork PRs.

GitHub withholds repo secrets from Dependabot-context runs, so the
Cloudflare AI gateway secrets are empty and the review job hard-fails
on every Dependabot PR. That red check permanently blocked auto-merge.
Guard the job on github.actor so it is skipped (which counts as passing)
for Dependabot.
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

AI code review

✅ Strengths

  • Clear and targeted fix: gating the AI review job to skip Dependabot PRs directly addresses the missing-secrets hard-fail and unblocks auto-merge.
  • Good rationale captured in comments: explains the why and expected behavior succinctly for future maintainers.
  • Preserves existing safety checks (no drafts, no forks), keeping behavior unchanged for human/fork PRs as intended.

⚠️ Suggestions (non-blocking)

  • Consider identifying Dependabot PRs by PR author or branch naming instead of github.actor. Using github.actor will skip only when the run is initiated by the Dependabot bot; if a maintainer pushes to the Dependabot branch or re-runs the job, the actor will be the human and the job will run (consuming AI quota). A more robust guard:
    • PR author: github.event.pull_request.user.login == 'dependabot[bot]'
    • Or branch: startsWith(github.event.pull_request.head.ref, 'dependabot/')
    • Combined example (skip if either condition): github.event.pull_request.draft == false && github.event.pull_request.head.repo.fork == false && (github.event.pull_request.user.login != 'dependabot[bot]' && !startsWith(github.event.pull_request.head.ref, 'dependabot/')) inverted as needed for your style.
  • If you want to be extra future-proof, consider also accommodating the legacy dependabot-preview[bot] (likely unnecessary now, but low-cost to include).
  • Minor: multi-line if: >- is fine; consider aligning the continued lines for readability (already good), or keep as a single line if preferred for grep-ability.

❌ Issues (blocking)

  • None found. The change is scoped, low risk, and improves reliability of automation. No security or performance concerns from the diff.

Verdict

⚠️ Verdict: Merge with minor follow-ups. The change fixes the auto-merge blocker. If you want to ensure all Dependabot PR runs are consistently skipped (even when a maintainer pushes or re-runs), switch the condition to check the PR author or head branch prefix rather than github.actor.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant