pr.yaml: trust Dependabot in Protected File Check guard#101
Merged
Conversation
The `check-protected-files` job (job name "Protected File Check") unconditionally fails on any modification to .editorconfig, Directory.Build.props, Directory.Build.targets, BannedSymbols.txt, *.globalconfig, or *.ruleset — without exempting Dependabot. That means Dependabot PRs that bump analyzer versions in Directory.Build.props (the canonical place for analyzer PackageReferences) get blocked by this guard and require a maintainer override to merge, defeating the auto-merge story for package-version bumps. Every other protected-files guard in this workflow (inline ones in detect-projects, test-linux-core, test-windows, test-macos) already carries `if: github.event.pull_request.user.login != 'dependabot[bot]'`. This change brings the standalone job in line with that pattern by short-circuiting at the job level. Required status checks treat skipped jobs as passing, so blocked Dependabot PRs will turn green after this lands. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s PR validation workflow to stop the Protected File Check job from blocking Dependabot PRs that legitimately modify protected configuration files (e.g., analyzer PackageReference updates in Directory.Build.props).
Changes:
- Add a Dependabot exemption to the
check-protected-filesjob-levelif:condition. - Add explanatory comments documenting the rationale and expected branch-ruleset behavior for skipped jobs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
check-protected-filesjob (status name Protected File Check) unconditionally fails on any change to protected config files, with no exemption for Dependabot. That blocks every Dependabot PR that bumps an analyzer version (since analyzerPackageReferencelives inDirectory.Build.props), forcing a maintainer override to merge what should be a hands-off auto-merge.Fix
Adds the standard Dependabot guard to the job-level
if::Required status checks treat skipped jobs as passing, so once this lands, Dependabot PRs whose only protected-file change is an analyzer-version bump will turn green on this check.
Why this is safe
Note on pattern consistency
This
pr.yamlvariant centralizes all protected-file guarding in the standalonecheck-protected-filesjob — there are no inline per-job guards to align with here (newer template revisions in other repos do have inline guards, each carrying the same Dependabot exemption; this PR brings the centralized-guard variant up to the same effective behavior).Test plan