fix(workflows): allow dependabot[bot] to activate AW Dependabot PR Review#586
Merged
Conversation
…view - Add on.bots: [dependabot[bot]] so pre_activation bypasses the default role check that blocks bots with role 'none' - Keep on.roles explicit at the default for documentation - Recompile aw-dependabot-pr-review.lock.yml via gh aw compile Refs #585 🤖 - Generated by Copilot
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #586 +/- ##
==========================================
+ Coverage 63.91% 66.56% +2.65%
==========================================
Files 250 262 +12
Lines 15409 16639 +1230
Branches 2163 2301 +138
==========================================
+ Hits 9848 11076 +1228
Misses 5274 5274
- Partials 287 289 +2
*This pull request uses carry forward flags. Click here to find out more. 🚀 New features to boost your workflow:
|
bindsi
approved these changes
Apr 28, 2026
This was referenced Apr 28, 2026
Closed
WilliamBerryiii
pushed a commit
that referenced
this pull request
May 8, 2026
🤖 I have created a release *beep* *boop* --- ## [0.8.0](v0.7.4...v0.8.0) (2026-05-08) ### ⚠ BREAKING CHANGES * **dataviewer:** bump frontend stack to React 19, Vite 8, Tailwind v4, MSAL 5, ESLint 10 ([#524](#524)) ### ✨ Features * **agents:** add automated validation for high-risk Dependabot bumps ([#574](#574)) ([8c3686a](8c3686a)), closes [#573](#573) * **data:** add camera selector to annotation workspace and fix AV1 frame extraction ([#591](#591)) ([c809d2f](c809d2f)) * **data:** seed dataviewer frontend test foundation and per-section codecov flags ([#594](#594)) ([c06c4e3](c06c4e3)) * **dataviewer:** add OWASP security middleware stack ([#439](#439)) ([239edb9](239edb9)) * **infrastructure:** add conversion pipeline Terraform module ([#542](#542)) ([244531e](244531e)) * **infrastructure:** upgrade OSMO to chart 1.2.1 / image 6.2 with secure auth and skrl 2.0.0 compatibility ([#492](#492)) ([edfd7a5](edfd7a5)) * **pipeline:** add ACSA setup for ROS2 bag sync to Blob ([#451](#451)) ([c271a54](c271a54)) * **workflows:** add advisory Dependabot PR reviewer agentic workflow ([#498](#498)) ([d4bb140](d4bb140)) * **workflows:** trigger AW Dependabot PR reviewer after PR Validation ([#580](#580)) ([7ab3d16](7ab3d16)) ### 🐛 Bug Fixes * **ci:** correct stale version comment for actions/create-github-app-token ([#506](#506)) ([b2e9a54](b2e9a54)) * **ci:** restore data-pipeline and training broken tests by domain folder restructure ([#547](#547)) ([06d8472](06d8472)) * **docs:** update remaining stale 'Coming soon' labels in docs/README.md ([#507](#507)) ([02439d6](02439d6)) * **docs:** update stale coming soon label for Training section ([#472](#472)) ([46db49b](46db49b)) * **evaluation:** scope SIL AzureML validation code path and script reference ([#387](#387)) ([9f138a9](9f138a9)) * **infrastructure:** OSMO workflow execution, PostgreSQL public access, and quickstart corrections ([#477](#477)) ([9ed2da6](9ed2da6)) * **scripts:** exclude CHANGELOG.md from changed-files msdate check ([#644](#644)) ([8133bdc](8133bdc)) * **workflows:** allow dependabot[bot] to activate AW Dependabot PR Review ([#586](#586)) ([39dc022](39dc022)) * **workflows:** correct branches filter on AW Dependabot PR Review workflow_run trigger ([#584](#584)) ([fe06b52](fe06b52)) * **workflows:** normalize validate.yaml placeholder env/compute values ([#510](#510)) ([340ff44](340ff44)) * **workflows:** recompile aw-dependabot-pr-review lock file ([#576](#576)) ([d77c167](d77c167)) * **workflows:** switch AW Dependabot PR Review to pull_request_target ([#589](#589)) ([3f1edd1](3f1edd1)) ### 📚 Documentation * **docs:** Fix deployment guide links ([#614](#614)) ([0070b04](0070b04)) * document dependency-pinning-artifacts directory purpose ([#508](#508)) ([50e0010](50e0010)) ### 📦 Build System * **training:** standardize on Python 3.12 across manifests, containers, and runtime scripts ([#541](#541)) ([7ad014a](7ad014a)) ### 🔧 Operations * **build:** add Copilot cloud agent setup-steps workflow ([#593](#593)) ([c912668](c912668)) ### 🔧 Miscellaneous * **build:** exclude auto-generated CHANGELOG.md from cspell and seed dictionary ([#582](#582)) ([de1dd57](de1dd57)) * **build:** redesign codecov flags and split pytest CI per component ([#520](#520)) ([357e745](357e745)) * **dataviewer:** bump frontend stack to React 19, Vite 8, Tailwind v4, MSAL 5, ESLint 10 ([#524](#524)) ([50f8ad4](50f8ad4)) * **dataviewer:** repoint stale src/dataviewer references to data-management/viewer ([#504](#504)) ([88fa1b4](88fa1b4)), closes [#503](#503) * **deps-dev:** bump basic-ftp from 5.3.0 to 5.3.1 ([#618](#618)) ([ca10f2a](ca10f2a)) * **deps-dev:** bump globals from 15.15.0 to 17.5.0 in /data-management/viewer/frontend ([#527](#527)) ([0e0b2ae](0e0b2ae)) * **deps-dev:** bump ip-address from 10.1.0 to 10.2.0 ([#616](#616)) ([816c9cf](816c9cf)) * **deps-dev:** bump lint-staged from 16.4.0 to 17.0.2 in the root-npm-dependencies group across 1 directory ([#626](#626)) ([0e2f293](0e2f293)) * **deps-dev:** bump pydantic from 2.13.3 to 2.13.4 in the python-dependencies group across 1 directory ([#629](#629)) ([c24f1c1](c24f1c1)) * **deps-dev:** bump the python-dependencies group across 1 directory with 2 updates ([#514](#514)) ([8410f4b](8410f4b)) * **deps:** bump azure-core from 1.39.0 to 1.40.0 in /evaluation in the inference-dependencies group across 1 directory ([#597](#597)) ([6141db4](6141db4)) * **deps:** bump cryptography from 46.0.6 to 46.0.7 in /data-management/viewer ([#424](#424)) ([5fb6d58](5fb6d58)) * **deps:** bump cryptography from 46.0.6 to 46.0.7 in /data-management/viewer/backend ([#423](#423)) ([b516ad5](b516ad5)) * **deps:** bump lucide-react from 0.469.0 to 1.8.0 in /data-management/viewer/frontend ([#528](#528)) ([1bdfc1e](1bdfc1e)) * **deps:** bump nginx from `8aa63af` to `5616878` in /data-management/viewer/frontend ([#511](#511)) ([9e7e20e](9e7e20e)) * **deps:** bump nginx from 1.27-alpine to 1.29-alpine in /data-management/viewer/frontend ([#484](#484)) ([0e5c3dd](0e5c3dd)) * **deps:** bump node from `435f353` to `e49fd70` in /data-management/viewer/frontend ([#560](#560)) ([2884649](2884649)) * **deps:** bump react-is from 18.3.1 to 19.2.5 in /data-management/viewer/frontend ([#530](#530)) ([d51318c](d51318c)) * **deps:** bump tensordict from 0.11.0 to 0.12.1 in /evaluation in the inference-dependencies group across 1 directory ([#456](#456)) ([b24e733](b24e733)) * **deps:** bump the dataviewer-backend-dependencies group across 1 directory with 2 updates ([#531](#531)) ([171a1da](171a1da)) * **deps:** bump the dataviewer-backend-dependencies group across 1 directory with 5 updates ([#516](#516)) ([4f9a577](4f9a577)) * **deps:** bump the dataviewer-backend-dependencies group across 1 directory with 5 updates ([#602](#602)) ([6c27ab5](6c27ab5)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 2 updates ([#529](#529)) ([8646971](8646971)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 3 updates ([#601](#601)) ([d28fb50](d28fb50)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 3 updates ([#632](#632)) ([4ca5f3e](4ca5f3e)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 5 updates ([#515](#515)) ([109ee81](109ee81)) * **deps:** bump the dataviewer-frontend-patch-minor group across 1 directory with 6 updates ([#630](#630)) ([04d5dfd](04d5dfd)) * **deps:** bump the dataviewer-frontend-patch-minor group across 1 directory with 9 updates ([#563](#563)) ([c08f450](c08f450)) * **deps:** bump the docusaurus-dependencies group across 1 directory with 4 updates ([#627](#627)) ([f5825fc](f5825fc)) * **deps:** bump the docusaurus-dependencies group across 1 directory with 6 updates ([#599](#599)) ([b859344](b859344)) * **deps:** bump the github-actions group across 1 directory with 4 updates ([#459](#459)) ([2609c52](2609c52)) * **deps:** bump the github-actions group across 1 directory with 4 updates ([#517](#517)) ([f54bf5d](f54bf5d)) * **deps:** bump the inference-dependencies group across 1 directory with 11 updates ([#562](#562)) ([087f53a](087f53a)) * **deps:** bump the inference-dependencies group across 1 directory with 2 updates ([#628](#628)) ([4a3be47](4a3be47)) * **deps:** bump the pip group across 2 directories with 1 update ([#494](#494)) ([a14b6b0](a14b6b0)) * **docs:** update stale Python 3.11 references to 3.12 ([#575](#575)) ([6f85c95](6f85c95)) * **scripts:** remove redundant SC1091 disables in OSMO deploy scripts ([#509](#509)) ([ae1cb82](ae1cb82)) ### 🔒 Security * **build:** pin dependencies and hash-verify downloads ([#465](#465)) ([0289f49](0289f49)) * **build:** remediate dependency security advisories ([#479](#479)) ([7196d6d](7196d6d)) * **deps-dev:** bump basic-ftp from 5.2.1 to 5.2.2 ([#454](#454)) ([cb158f1](cb158f1)) * **deps-dev:** bump basic-ftp from 5.2.2 to 5.3.0 ([#495](#495)) ([e983b8b](e983b8b)) * **deps-dev:** bump hypothesis from 6.152.3 to 6.152.4 in the python-dependencies group ([#598](#598)) ([83384d2](83384d2)) * **deps-dev:** bump markdownlint-cli2 from 0.22.0 to 0.22.1 in the root-npm-dependencies group ([#559](#559)) ([32bde35](32bde35)) * **deps-dev:** bump picomatch from 2.3.1 to 2.3.2 in /docs/docusaurus ([#455](#455)) ([66f86ca](66f86ca)) * **deps-dev:** bump postcss from 8.5.10 to 8.5.12 in /data-management/viewer/frontend ([#569](#569)) ([a652dba](a652dba)) * **deps-dev:** bump the python-dependencies group with 2 updates ([#457](#457)) ([749d231](749d231)) * **deps-dev:** bump the python-dependencies group with 2 updates ([#485](#485)) ([71b44fd](71b44fd)) * **deps-dev:** bump the python-dependencies group with 3 updates ([#564](#564)) ([9fc52fd](9fc52fd)) * **deps-dev:** bump typescript from 6.0.2 to 6.0.3 in /docs/docusaurus in the docusaurus-dependencies group ([#513](#513)) ([5694dbc](5694dbc)) * **deps:** bump azureml/openmpi4.1.0-ubuntu22.04 from 20260303.v5 to 20260409.v4 in /evaluation/sil/docker ([#480](#480)) ([25d4df8](25d4df8)) * **deps:** bump cryptography from 46.0.6 to 46.0.7 in /evaluation in the uv group across 1 directory ([#538](#538)) ([92c5b2e](92c5b2e)) * **deps:** bump diffusers from 0.35.2 to 0.38.0 in /training/il/lerobot ([#638](#638)) ([6261d19](6261d19)) * **deps:** bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus ([#469](#469)) ([0458908](0458908)) * **deps:** bump gitpython and mako for lerobot IL training ([#623](#623)) ([9f8022b](9f8022b)) * **deps:** bump node from 24.14.1-slim to 25.9.0-slim in /data-management/viewer/frontend ([#482](#482)) ([1532d09](1532d09)) * **deps:** bump packaging from 26.0 to 26.1 in /evaluation in the inference-dependencies group ([#483](#483)) ([f4afb6c](f4afb6c)) * **deps:** bump pillow from 12.1.1 to 12.2.0 ([#467](#467)) ([39fb663](39fb663)) * **deps:** bump python from 3.11-slim to 3.14-slim in /data-management/viewer/backend ([#481](#481)) ([7af9dfc](7af9dfc)) * **deps:** bump the dataviewer-backend-dependencies group across 1 directory with 15 updates ([#428](#428)) ([e4446a2](e4446a2)) * **deps:** bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 4 updates ([#487](#487)) ([0f57c5b](0f57c5b)) * **deps:** bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 8 updates ([#566](#566)) ([d6e7869](d6e7869)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 5 updates ([#464](#464)) ([24c208d](24c208d)) * **deps:** bump the dataviewer-dependencies group in /data-management/viewer with 2 updates ([#486](#486)) ([90149f3](90149f3)) * **deps:** bump the dataviewer-dependencies group in /data-management/viewer with 6 updates ([#565](#565)) ([f0bb36b](f0bb36b)) * **deps:** bump the dataviewer-frontend-patch-minor group across 1 directory with 10 updates ([#613](#613)) ([e481f83](e481f83)) * **deps:** bump the github-actions group across 1 directory with 4 updates ([#534](#534)) ([5478ab6](5478ab6)) * **deps:** bump the github-actions group with 2 updates ([#488](#488)) ([4e6ce98](4e6ce98)) * **deps:** bump the github-actions group with 3 updates ([#567](#567)) ([48c38dc](48c38dc)) * **deps:** bump the github-actions group with 3 updates ([#634](#634)) ([00cfb49](00cfb49)) * **deps:** bump the github-actions group with 6 updates ([#603](#603)) ([73eb79a](73eb79a)) * **deps:** bump the training-dependencies group across 1 directory with 23 updates ([#463](#463)) ([d5a8656](d5a8656)) * **deps:** bump yaml from 2.8.2 to 2.8.3 in /data-management/viewer/frontend ([#453](#453)) ([10449df](10449df)) * pytest harness, dependabot advisories, and OSSF Scorecard remediations ([#501](#501)) ([e8756e8](e8756e8)) * **scripts:** pin and hash-verify all shell script downloads ([#468](#468)) ([0c2bb9c](0c2bb9c)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: physical-ai-toolchain-release[bot] <267194360+physical-ai-toolchain-release[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
WilliamBerryiii
added a commit
that referenced
this pull request
May 13, 2026
#612) ## Description The `aw-dependabot-pr-review` agentic workflow used to fire on `pull_request_target`, which meant the resolver step captured a snapshot of `PR Validation` while it was still `pending` or `in_progress:*`, and the advisory review was posted before the orchestrator ever finished. PR #608 was the canonical example: the review correctly applied the Isaac Sim *numpy 2.x* ABI guard, but its CI banner quoted a stale `in_progress:in_progress` conclusion. This PR migrates the workflow to `workflow_run` keyed on `PR Validation` *completed*, reads the orchestrator's terminal conclusion straight from `context.payload.workflow_run.conclusion`, and pre-resolves failing per-surface check-runs once in the resolver step. The persona rubric is rewritten to consume those env vars and to map every terminal conclusion explicitly - `pending` and `in_progress:*` branches are gone because they are now unreachable. Related to #579. ## Type of Change - [ ] 🐛 Bug fix (non-breaking change fixing an issue) - [ ] ✨ New feature (non-breaking change adding functionality) - [ ] 💥 Breaking change (fix or feature causing existing functionality to change) - [ ] 📚 Documentation update - [ ] 🏗️ Infrastructure change (Terraform/IaC) - [x] ♻️ Refactoring (no functional changes) ## Component(s) Affected - [ ] `infrastructure/terraform/prerequisites/` - Azure subscription setup - [ ] `infrastructure/terraform/` - Terraform infrastructure - [ ] `infrastructure/setup/` - OSMO control plane / Helm - [ ] `workflows/` - Training and evaluation workflows - [ ] `training/` - Training pipelines and scripts - [ ] `docs/` - Documentation ## Changes ### Workflow trigger and resolver > Switching to `workflow_run` runs the agent step against the trusted, default-branch copy of the workflow, so the gh-aw compiler can auto-inject fork-PR exclusion and the `repository.id` guard. - Replaced `pull_request_target` with `workflow_run` on **`workflows: ["PR Validation"]`**, `types: [completed]`, `branches: ["dependabot/**"]`. The `branches:` filter on `workflow_run` matches the *triggering run's `head_branch`* (not the base), so `dependabot/**` is the only value that fires for Dependabot PRs — using `main` here was the [#583](#583) regression fixed in [#584](#584). The workflow-level `if:` filters on `workflow_run.event == 'pull_request'`, `workflow_run.actor.login == 'dependabot[bot]'`, and a whitelist of seven terminal conclusions. - Kept `on.bots: ["dependabot[bot]"]` and `on.roles: [admin, maintainer, write]` at the top level — gh-aw's `pre_activation` guard checks the triggering actor against `on.bots` / `on.roles` independently of the workflow `if:`, so dropping these would resurrect the [#585](#585) / [#586](#586) `User permission 'none'` activation block. - Added `checks: read` to `permissions:` for server-side check-run enumeration; existing `contents`, `pull-requests`, and `actions` scopes are unchanged. - Rewrote the *resolve-pr* step. It reads `context.payload.workflow_run`, prefers `workflow_run.pull_requests[0]`, and falls back to `search.issuesAndPullRequests` keyed on `head_sha` for the fork case. Both paths re-hydrate via `pulls.get` so `body` and `draft` are reliable. - Dropped the previous `listWorkflowRunsForRepo` lookup. **`PR_VALIDATION_CONCLUSION`** now reads directly from `run.conclusion`, which under `types: [completed]` is always one of `success`, `failure`, `cancelled`, `timed_out`, `neutral`, `skipped`, or `action_required`. - Added two new env vars exported by the resolver: - **`PR_VALIDATION_FAILING_CHECKS`** — JSON array of `{name, html_url, conclusion}` from `checks.listForRef(ref=pr.head.sha)` filtered to completed non-success/non-neutral/non-skipped runs. - **`PR_BODY`** — PR body hydrated server-side so the agent does not depend on the integrity-filtered MCP read of the PR. - New skip reasons in `PR_DEPENDABOT_SKIP_REASON`: `not-a-pr-run` and `pr-resolution-failed`, alongside the existing `not-dependabot` / `draft`. - Retargeted `safe-outputs`: - `submit-pull-request-review.target` → `${{ env.PR_NUMBER }}` - `add-comment.target` → `${{ env.PR_NUMBER }}` (was `triggering`, which is undefined under `workflow_run`) - `create-pull-request-review-comment.target` → `"*"` ### Persona verdict rubric > The agent now reasons over a *final* CI signal, so the rubric collapses to a clean terminal-conclusion map. - Rewrote the *Validation Signal* section in `.github/agents/dependabot-pr-reviewer.agent.md`. The persona is told the workflow runs after `PR Validation` reaches a terminal conclusion, and is explicitly forbidden from calling `checks.listForRef` or `commits/{sha}/check-runs` — it reads `PR_VALIDATION_FAILING_CHECKS` from the environment instead. - Reframed the *Surface to Check Run Map* as an informational lookup for mapping a failing check name back to its dependency surface. The persona no longer walks it via the API. - Rewrote the *Verdict Adjustment* block as an explicit terminal-conclusion map: - `success` + no static concern + no sticky high-risk trigger → `APPROVE`-eligible, citing the orchestrator conclusion plus an empty `PR_VALIDATION_FAILING_CHECKS`. - `failure | cancelled | timed_out | action_required` → `COMMENT`; body MUST quote every entry from `PR_VALIDATION_FAILING_CHECKS` (`name` plus `html_url`). - `neutral | skipped | unknown` or `PR_DEPENDABOT_SKIP_REASON == 'pr-resolution-failed'` → `COMMENT` with a `> [!CAUTION]` banner: *Deterministic CI signal unavailable (`{conclusion}`); review is advisory only.* - Preserved the sticky Isaac Sim ABI guard verbatim — a `numpy` 2.x bump still keeps the verdict at `COMMENT` and forces the `⚠️ Maintainer review recommended` banner regardless of CI conclusion. ### Workflow documentation and lock files - Rewrote the *Trigger Posture* and step-by-step prose in `aw-dependabot-pr-review.md` to describe the `workflow_run` execution model, the gh-aw compiler's auto-injected fork-PR exclusion and `repository.id` guard, and the new env-var contract. - Bumped `github/gh-aw-actions/setup` `v0.68.3` → `v0.71.1` in `.github/aw/actions-lock.json` (SHA `ba90f21…` → `239aec4…`), picked up by recompilation. - Regenerated `.github/workflows/aw-dependabot-pr-review.lock.yml` via the gh-aw compiler — diff reflects the trigger swap, the new env vars, and the setup-action SHA bump. No hand edits. ## Testing Performed - [ ] Terraform `plan` reviewed (no unexpected changes) - [ ] Terraform `apply` tested in dev environment - [ ] Training scripts tested locally with Isaac Sim - [ ] OSMO workflow submitted successfully - [ ] Smoke tests passed (`smoke_test_azure.py`) > None of the templated test surfaces apply — this PR only touches `.github/agents/` and `.github/workflows/`. Validation evidence: `npm run lint:md` and `npm run lint:yaml` pass on the changed files; the `aw-dependabot-pr-review.lock.yml` artifact is regenerated rather than hand-edited and matches the gh-aw compiler output for the new source. The behavioural change is observable on the next Dependabot PR — the advisory review will fire after `PR Validation` completes and quote the orchestrator's terminal conclusion plus any failing per-surface checks. ## Documentation Impact - [x] No documentation changes needed - [ ] Documentation updated in this PR - [ ] Documentation issue filed ## Bug Fix Checklist *Not a bug fix — this is a refactor of an agentic-workflow trigger surface.* - [ ] Linked to issue being fixed - [ ] Regression test included, OR - [ ] Justification for no regression test: ## Checklist - [x] My code follows the [project conventions](copilot-instructions.md) - [x] Commit messages follow [conventional commit format](instructions/commit-message.instructions.md) - [x] I have performed a self-review - [x] Documentation impact assessed above - [x] No new linting warnings introduced ## Related Issues Related to #579 ## Notes > The `min-integrity: approved` setting on `tools.github` is intentionally preserved. The agent's MCP PR-body read is therefore filtered, which is why the resolver hydrates `PR_BODY` from the REST API server-side — the persona consumes the env var rather than relying on the filtered MCP payload. - Lowering `min-integrity` to `unapproved` was rejected on prompt-injection grounds; the resolver-side hydration is the chosen mitigation. - `workflow_run` runs in default-branch context, which means changes to the AW workflow itself cannot be exercised by a Dependabot PR — this is the secure-by-design tradeoff documented in the GitHub Security Lab "preventing pwn requests" guide and aligns with the gh-aw `workflow_run` recommendation. ## Follow-up Tasks - Validate behaviour on a grouped Dependabot update that produces multiple `PR Validation` runs against the same head SHA — confirm that only the latest completed run drives the advisory review. - After the first live Dependabot PR runs through the new trigger, compare the posted review's CI banner against the orchestrator's final conclusion and the failing-check list to confirm the staleness regression observed in PR #608 is gone. - Confirm that `safe-outputs.submit-pull-request-review` and `add-comment` post successfully under `workflow_run` — the `target: ${{ env.PR_NUMBER }}` overrides are the [#588](#588) / [#589](#589) mitigation; a *Not in pull request context* skip in `safe_outputs` would mean the env var did not resolve. --------- Co-authored-by: Copilot <copilot@github.com> Co-authored-by: Bill Berry <WilliamBerryiii@users.noreply.github.com> Co-authored-by: Chris Montazer <17170709+rezatnoMsirhC@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
After #583 corrected the
branches:filter on the AW Dependabot PR Review workflow, the agentic workflow finally fired on Dependabotworkflow_runcompletions — butpre_activationimmediately skipped activation withAccess denied: User 'dependabot[bot]' is not authorized. gh-aw's pre-activation guard checks the triggering actor againston.roles, anddependabot[bot]carries rolenone, so the run was blocked even though the trigger filters and PR resolver were correct.This change allow-lists Dependabot at the trigger boundary by adding
on.bots: ["dependabot[bot]"]to the workflow source and recompiling the lockfile viagh aw compile.on.rolesis preserved at its existing default and written explicitly for documentation. The downstreamresolve-prstep still gates onpr.user.login === 'dependabot[bot]', so the activation surface remains scoped to Dependabot PRs.Closes #585
Type of Change
Component(s) Affected
infrastructure/terraform/prerequisites/- Azure subscription setupinfrastructure/terraform/- Terraform infrastructureinfrastructure/setup/- OSMO control plane / Helmworkflows/- Training and evaluation workflowstraining/- Training pipelines and scriptsdocs/- DocumentationTesting Performed
planreviewed (no unexpected changes)applytested in dev environmentsmoke_test_azure.py)Documentation Impact
Bug Fix Checklist
Complete this section for bug fix PRs. Skip for other contribution types.
Checklist