GH#4002: Fix OpenCode AI Agent and Review Bot Gate workflows showing action_required on PRs

[alex-solovyev]

Summary

• Add job-level if conditions to skip workflow execution when the triggering actor is a known review bot (CodeRabbit, Gemini Code Assist, Augment, Copilot, GitHub Actions, Dependabot)
• For the Review Bot Gate, only filter pull_request_review events from bots (the issue_comment path from bots works fine and is the primary re-trigger mechanism)
• Also updates the opencode-github-workflow.yml template with the same fix

Problem

GitHub requires manual approval for workflow runs triggered by bot accounts on pull_request_review and pull_request_review_comment events. When review bots post reviews, both workflows fire but get stuck at action_required, creating 87 stale status checks across PRs. This causes the pulse to report PRs as FAIL/PENDING even when the code is mergeable.

Root Cause

The github.actor for bot-triggered events is the bot account (e.g., gemini-code-assist[bot]). GitHub's security model requires manual approval for workflow runs from accounts without write access. The workflows had no actor filtering, so every bot review comment triggered a workflow run that immediately got stuck.

Verification

• issue_comment events from bots do NOT cause action_required (confirmed: 0 action_required runs from issue_comment events)
• pull_request_review and pull_request_review_comment events from bots DO cause action_required (confirmed: 87 stale runs, all from these event types)
• The Review Bot Gate preserves the issue_comment trigger path from bots, ensuring the gate still re-evaluates when bots post their reviews as comments
• All YAML files validated syntactically

Closes #4002

Summary by CodeRabbit

• Chores
  • Updated GitHub workflows to prevent known review bots from triggering security checks and review gates.
  • Expanded and clarified the list of excluded bot accounts and refined gating logic to avoid bot-triggered workflow runs while preserving existing behavior for human-triggered events.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 26a86f7e-94f2-4020-8032-83b77c385dfa

📥 Commits

Reviewing files that changed from the base of the PR and between a111a1d and b676bc2.

📒 Files selected for processing (3)

• .github/workflows/opencode-agent.yml
• .github/workflows/review-bot-gate.yml
• configs/mcp-templates/opencode-github-workflow.yml

---

Walkthrough

Adds actor-based guard conditions to three GitHub Actions workflow files so known review bots are excluded from triggering security-check and review-gate jobs; existing behavior for non-bot actors is preserved.

Changes

Cohort / File(s)	Summary
Workflow guards .github/workflows/opencode-agent.yml, configs/mcp-templates/opencode-github-workflow.yml	Replaced/expanded inline if with block-style conditions that exclude a set of known bot actors (e.g., coderabbitai, gemini-code-assist[bot], augment-code[bot], copilot[bot], github-actions[bot], dependabot[bot]) while keeping original trigger checks.
Review bot gate .github/workflows/review-bot-gate.yml	Adds/expands job-level if-condition and updates in-script KNOWN_BOTS list and comments to avoid running gate on reviews originating from listed bot accounts; clarifies handling of rate-limited vs. real bot reviews.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• t1382: Enforce wait-for-review-bots gate before PR merge #2739: Related changes to review-bot-gate handling and KNOWN_BOTS expansion.
• t2980: fix review-bot-gate to distinguish rate-limit notices from real reviews #2982: Similar modifications to review-bot-gate workflow logic and bot detection behavior.
• feat: add OpenCode GitHub/GitLab integration support #5: Introduces the opencode GitHub workflow template that this PR updates with bot-exclusion guards.

Poem

🤖 Bots tap keys in twilight's code,
Guards wake, but skip the trusted node.
CI hums on, no action_required dread,
Pipelines flow — no manual thread.
Cheers to smoother runs ahead. 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the primary change: fixing OpenCode AI Agent and Review Bot Gate workflows to prevent action_required status on PRs.
Linked Issues check	✅ Passed	All objectives from issue #4002 are met: bot-triggered workflows are now filtered to prevent action_required status; the Review Bot Gate preserves issue_comment path while filtering pull_request_review events from bots.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to addressing the action_required issue: workflow gate logic updates in opencode-agent.yml, review-bot-gate.yml, and opencode-github-workflow.yml template.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/issue-4002-workflow-action-required

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves a persistent issue where GitHub Actions workflows, specifically the OpenCode AI Agent, would enter an action_required state when triggered by review bots. This problem stemmed from GitHub's security policies requiring manual approval for bot-initiated workflow runs. By introducing actor-based conditional checks, the changes ensure that these workflows are automatically skipped when a known bot is the trigger, thereby eliminating stale status checks and improving the accuracy of PR mergeability reporting.

Highlights

• Bot Exclusion Logic: Implemented conditional logic within the opencode job to prevent its execution when triggered by specific bot accounts (CodeRabbit, Gemini Code Assist, Copilot, GitHub Actions, Dependabot).
• Workflow Status Resolution: Addressed the issue of workflows getting stuck in an action_required state on pull requests by preventing bot-triggered runs that require manual approval.

Changelog

• configs/mcp-templates/opencode-github-workflow.yml
  • Modified the if condition for the opencode job to include checks for github.actor not being a known bot.
  • Added a comment explaining the rationale behind skipping bot-triggered runs to avoid action_required statuses.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/opencode-agent.yml
  • .github/workflows/review-bot-gate.yml

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 393 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Mon Mar 9 20:57:53 UTC 2026: Code review monitoring started
Mon Mar 9 20:57:54 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 393

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 393
• VULNERABILITIES: 0

Generated on: Mon Mar 9 20:57:56 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

configs/mcp-templates/opencode-github-workflow.yml (1)

29-33: Consider stricter trigger matching for production deployments.

The template uses contains(github.event.comment.body, '/oc') which could match unintended substrings (e.g., /doc, /proc). The deployed opencode-agent.yml uses a stricter regex with word boundaries: /(^|\s)\/(oc|opencode)\b/m. This is acceptable for a lightweight template, but users deploying to production should consider adopting the stricter pattern from the main workflow.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@configs/mcp-templates/opencode-github-workflow.yml` around lines 29 - 33, The
current trigger uses contains(github.event.comment.body, '/oc') and
contains(..., '/opencode') which can match unintended substrings; replace these
contains checks with a regex match using matches(github.event.comment.body,
'(^|\\s)\\/(oc|opencode)\\b') (or the equivalent stricter pattern used in
opencode-agent.yml) so the workflow only triggers on whole-word commands with
optional leading whitespace; update the if condition to use matches(...) for
both variants to tighten production deployments.

.github/workflows/review-bot-gate.yml (1)

76-82: Clarify the intentional divergence between if-condition bots and KNOWN_BOTS array.

The KNOWN_BOTS array excludes github-actions[bot] and dependabot[bot] that are in the job-level if condition. This appears intentional — these bots are excluded from triggering the workflow but are not code review bots whose reviews we wait for.

Consider adding a brief comment to make this distinction explicit for future maintainers:

📝 Suggested clarifying comment

          # Known review bot patterns (case-insensitive matching on login)
-         # Add new bots here as they are configured
+         # Add new bots here as they are configured.
+         # NOTE: This list differs from the job-level if-condition which also
+         # excludes github-actions[bot] and dependabot[bot]. Those bots are
+         # excluded from triggering this workflow but are NOT code review bots
+         # whose reviews we wait for.
          KNOWN_BOTS=(
            "coderabbitai"
            "gemini-code-assist[bot]"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/review-bot-gate.yml around lines 76 - 82, Add a short
clarifying comment above the KNOWN_BOTS array explaining why it intentionally
omits github-actions[bot] and dependabot[bot] (these are filtered at the
job-level if-condition to stop workflow triggering, whereas KNOWN_BOTS is used
to identify code-review bots whose reviews we wait for); reference KNOWN_BOTS
and the job-level if condition in the comment so future maintainers understand
the different purposes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@configs/mcp-templates/opencode-github-workflow.yml`:
- Around line 34-38: Update the actor exclusion list to include the two missing
Augment bot variants so the conditional that checks github.actor excludes
'augment-code[bot]' and 'augmentcode[bot]' alongside the existing entries
('coderabbitai', 'gemini-code-assist[bot]', 'copilot[bot]',
'github-actions[bot]', 'dependabot[bot]'); locate the conditional block that
compares github.actor (the lines containing github.actor != ...) and add those
two strings in the same style/format so Augment reviews are treated as bots and
do not trigger action_required.

---

Nitpick comments:
In @.github/workflows/review-bot-gate.yml:
- Around line 76-82: Add a short clarifying comment above the KNOWN_BOTS array
explaining why it intentionally omits github-actions[bot] and dependabot[bot]
(these are filtered at the job-level if-condition to stop workflow triggering,
whereas KNOWN_BOTS is used to identify code-review bots whose reviews we wait
for); reference KNOWN_BOTS and the job-level if condition in the comment so
future maintainers understand the different purposes.

In `@configs/mcp-templates/opencode-github-workflow.yml`:
- Around line 29-33: The current trigger uses
contains(github.event.comment.body, '/oc') and contains(..., '/opencode') which
can match unintended substrings; replace these contains checks with a regex
match using matches(github.event.comment.body, '(^|\\s)\\/(oc|opencode)\\b') (or
the equivalent stricter pattern used in opencode-agent.yml) so the workflow only
triggers on whole-word commands with optional leading whitespace; update the if
condition to use matches(...) for both variants to tighten production
deployments.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a6f5ba0e-a3bc-41d6-8a38-b9d06e9b0b75

📥 Commits

Reviewing files that changed from the base of the PR and between a111a1d and 252416e.

📒 Files selected for processing (3)

• .github/workflows/opencode-agent.yml
• .github/workflows/review-bot-gate.yml
• configs/mcp-templates/opencode-github-workflow.yml

[gemini-code-assist]

Code Review

This pull request aims to fix an issue where workflows get stuck in an action_required state when triggered by bot comments by adding conditions to the opencode job to skip execution for known bot actors. No security vulnerabilities were found. My review includes suggestions to improve the maintainability of the bot filtering logic and to include a bot that was mentioned in the description but was missed in the implementation.

[gemini-code-assist]

The PR description mentions filtering out the 'Augment' bot, but it's missing from this list. Its actor name is likely augment-dev[bot].

For better maintainability, you can generalize the bot filter. Most bot actors use the [bot] suffix. You can simplify the condition to catch these, with a special case for coderabbitai. This would also cover augment-dev[bot] and any future bots following the convention.

      !endsWith(github.actor, '[bot]') &&
      github.actor != 'coderabbitai'

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 393 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Mon Mar 9 21:16:45 UTC 2026: Code review monitoring started
Mon Mar 9 21:16:45 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 393

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 393
• VULNERABILITIES: 0

Generated on: Mon Mar 9 21:16:48 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[marcusquinn]

@coderabbitai review

All CHANGES_REQUESTED items have been addressed in commit b676bc2. The Augment bot variants are now included in the template, and the KNOWN_BOTS clarifying comment has been added. Please re-review.

[coderabbitai]

@marcusquinn Thanks for the update! I'll kick off a fresh review pass now to verify that all the previously flagged items — including the Augment bot variants in the template and the KNOWN_BOTS clarifying comment — have been properly addressed in commit b676bc2.

---

🧠 Learnings used

Learnt from: marcusquinn
Repo: marcusquinn/aidevops PR: 0
File: :0-0
Timestamp: 2026-03-03T16:33:18.313Z
Learning: For the marcusquinn/aidevops repository: The daily quality sweep system (pulse-wrapper.sh) should only mention coderabbitai for full codebase review when there are significant changes (Quality Gate failure, +10 issues in one day, etc.), not on every automated sweep with stable metrics.

✅ Actions performed

Full review triggered.

[marcusquinn]

Cannot auto-merge: PR modifies .github/workflows/ files but the current token lacks the workflow scope. Run gh auth refresh -s workflow in your terminal to add the scope, then this PR will merge on the next pulse cycle.

PR is otherwise ready: CI passing, APPROVED review, 1 unresolved bot suggestion (minor).

[marcusquinn]

Dispatching worker to address CodeRabbit suggestion.

• Model: sonnet (anthropic/claude-sonnet-4-6)
• Branch: bugfix/issue-4002-workflow-action-required
• Scope: Add augment-code[bot] and augmentcode[bot] to exclusion list in configs/mcp-templates/opencode-github-workflow.yml
• Attempt: 1 of 1
• Direction: Minor template sync — match deployed workflow's bot exclusion list