Skip to content

Skip AI code review on Dependabot PRs#766

Open
arunshenoy99 wants to merge 1 commit into
mainfrom
fix/PRESS0-4266-pt-1
Open

Skip AI code review on Dependabot PRs#766
arunshenoy99 wants to merge 1 commit into
mainfrom
fix/PRESS0-4266-pt-1

Conversation

@arunshenoy99

Copy link
Copy Markdown
Member

Why

Follow-up to scheduled Dependabot auto-merge.

The Review PR diff AI code-review check hard-fails on every Dependabot PR with Missing required secret: CLOUDFLARE_ACCOUNT_ID. GitHub withholds repository secrets from Dependabot-context runs, so the Cloudflare AI gateway secrets are empty and the reusable review workflow errors out.

Because the auto-merge gate requires all checks to be green, that permanently red check blocks auto-merge for all Dependabot PRs.

What

Guard the AI-review job on github.actor != 'dependabot[bot]' so it is skipped on Dependabot PRs. A skipped job counts as passing, so it no longer blocks auto-merge, and we don't spend AI-gateway quota reviewing dependency bumps.

No change to behavior on human/fork PRs.

GitHub withholds repo secrets from Dependabot-context runs, so the
Cloudflare AI gateway secrets are empty and the review job hard-fails
on every Dependabot PR. That red check permanently blocked auto-merge.
Guard the job on github.actor so it is skipped (which counts as passing)
for Dependabot.
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

AI code review

✅ Strengths

  • Clear, minimal guard to prevent hard-failing the AI review on Dependabot PRs; rationale well-documented inline.
  • Uses a job-level if so the workflow run remains green via a skipped job, unblocking auto-merge and avoiding AI quota burn.
  • Preserves existing behavior for human and fork PRs; no changes to the reusable workflow.

⚠️ Suggestions (non-blocking)

  • Prefer checking the PR author rather than the actor to make skipping resilient to manual re-runs or other automation actors. Example:
    • github.event.pull_request.user.login != 'dependabot[bot]'
    • Rationale: github.actor can be a human on re-run or github-actions[bot] on automation, which could unintentionally run the job (and spend credits) on a Dependabot-authored PR.
  • Optional belt-and-suspenders alternative: also guard on the branch naming convention for Dependabot PRs, e.g., !startsWith(github.event.pull_request.head.ref, 'dependabot/').
  • Double-check branch protection expectations: most orgs treat "skipped" as passing, but if your required checks are strict about success state, consider a conditional continue-on-error: true or moving this guard into the reusable workflow so all consumers inherit the behavior.

❌ Issues (blocking/critical)

  • None found. The expression syntax and YAML folding look correct. No security or reliability regressions evident.

Verdict

⚠️ Verdict: Good change to unblock Dependabot auto-merge. Safe to merge as-is; consider the PR-author check refinement in a follow-up to make the skip robust across re-runs and automations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant