fix(workflows): switch AW Dependabot PR Review to pull_request_target#589
Merged
Conversation
- Replace workflow_run trigger with pull_request_target so safe-output handlers receive a real github.event.pull_request payload and can post inline review comments and the submitted review (workflow_run lacks PR context, causing every comment to be silently skipped with 'Not in pull request context') - Filter activation to dependabot/** head branches authored by dependabot[bot] via the workflow if: guard - Rewrite the resolver step to read the PR from event payload and query the most recent PR Validation run for this head SHA at runtime; PR_VALIDATION_CONCLUSION may now be pending or in_progress:<status> - Update the agent persona to tolerate pending CI and keep the verdict at COMMENT when the orchestrator has not yet completed 🤖 - Generated by Copilot
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #589 +/- ##
==========================================
+ Coverage 63.91% 66.56% +2.65%
==========================================
Files 250 262 +12
Lines 15409 16639 +1230
Branches 2163 2301 +138
==========================================
+ Hits 9848 11076 +1228
Misses 5274 5274
- Partials 287 289 +2
*This pull request uses carry forward flags. Click here to find out more. 🚀 New features to boost your workflow:
|
bindsi
approved these changes
Apr 28, 2026
…tation 🔧 - Generated by Copilot Co-authored-by: Copilot <copilot@github.com>
28 tasks
WilliamBerryiii
pushed a commit
that referenced
this pull request
May 8, 2026
🤖 I have created a release *beep* *boop* --- ## [0.8.0](v0.7.4...v0.8.0) (2026-05-08) ### ⚠ BREAKING CHANGES * **dataviewer:** bump frontend stack to React 19, Vite 8, Tailwind v4, MSAL 5, ESLint 10 ([#524](#524)) ### ✨ Features * **agents:** add automated validation for high-risk Dependabot bumps ([#574](#574)) ([8c3686a](8c3686a)), closes [#573](#573) * **data:** add camera selector to annotation workspace and fix AV1 frame extraction ([#591](#591)) ([c809d2f](c809d2f)) * **data:** seed dataviewer frontend test foundation and per-section codecov flags ([#594](#594)) ([c06c4e3](c06c4e3)) * **dataviewer:** add OWASP security middleware stack ([#439](#439)) ([239edb9](239edb9)) * **infrastructure:** add conversion pipeline Terraform module ([#542](#542)) ([244531e](244531e)) * **infrastructure:** upgrade OSMO to chart 1.2.1 / image 6.2 with secure auth and skrl 2.0.0 compatibility ([#492](#492)) ([edfd7a5](edfd7a5)) * **pipeline:** add ACSA setup for ROS2 bag sync to Blob ([#451](#451)) ([c271a54](c271a54)) * **workflows:** add advisory Dependabot PR reviewer agentic workflow ([#498](#498)) ([d4bb140](d4bb140)) * **workflows:** trigger AW Dependabot PR reviewer after PR Validation ([#580](#580)) ([7ab3d16](7ab3d16)) ### 🐛 Bug Fixes * **ci:** correct stale version comment for actions/create-github-app-token ([#506](#506)) ([b2e9a54](b2e9a54)) * **ci:** restore data-pipeline and training broken tests by domain folder restructure ([#547](#547)) ([06d8472](06d8472)) * **docs:** update remaining stale 'Coming soon' labels in docs/README.md ([#507](#507)) ([02439d6](02439d6)) * **docs:** update stale coming soon label for Training section ([#472](#472)) ([46db49b](46db49b)) * **evaluation:** scope SIL AzureML validation code path and script reference ([#387](#387)) ([9f138a9](9f138a9)) * **infrastructure:** OSMO workflow execution, PostgreSQL public access, and quickstart corrections ([#477](#477)) ([9ed2da6](9ed2da6)) * **scripts:** exclude CHANGELOG.md from changed-files msdate check ([#644](#644)) ([8133bdc](8133bdc)) * **workflows:** allow dependabot[bot] to activate AW Dependabot PR Review ([#586](#586)) ([39dc022](39dc022)) * **workflows:** correct branches filter on AW Dependabot PR Review workflow_run trigger ([#584](#584)) ([fe06b52](fe06b52)) * **workflows:** normalize validate.yaml placeholder env/compute values ([#510](#510)) ([340ff44](340ff44)) * **workflows:** recompile aw-dependabot-pr-review lock file ([#576](#576)) ([d77c167](d77c167)) * **workflows:** switch AW Dependabot PR Review to pull_request_target ([#589](#589)) ([3f1edd1](3f1edd1)) ### 📚 Documentation * **docs:** Fix deployment guide links ([#614](#614)) ([0070b04](0070b04)) * document dependency-pinning-artifacts directory purpose ([#508](#508)) ([50e0010](50e0010)) ### 📦 Build System * **training:** standardize on Python 3.12 across manifests, containers, and runtime scripts ([#541](#541)) ([7ad014a](7ad014a)) ### 🔧 Operations * **build:** add Copilot cloud agent setup-steps workflow ([#593](#593)) ([c912668](c912668)) ### 🔧 Miscellaneous * **build:** exclude auto-generated CHANGELOG.md from cspell and seed dictionary ([#582](#582)) ([de1dd57](de1dd57)) * **build:** redesign codecov flags and split pytest CI per component ([#520](#520)) ([357e745](357e745)) * **dataviewer:** bump frontend stack to React 19, Vite 8, Tailwind v4, MSAL 5, ESLint 10 ([#524](#524)) ([50f8ad4](50f8ad4)) * **dataviewer:** repoint stale src/dataviewer references to data-management/viewer ([#504](#504)) ([88fa1b4](88fa1b4)), closes [#503](#503) * **deps-dev:** bump basic-ftp from 5.3.0 to 5.3.1 ([#618](#618)) ([ca10f2a](ca10f2a)) * **deps-dev:** bump globals from 15.15.0 to 17.5.0 in /data-management/viewer/frontend ([#527](#527)) ([0e0b2ae](0e0b2ae)) * **deps-dev:** bump ip-address from 10.1.0 to 10.2.0 ([#616](#616)) ([816c9cf](816c9cf)) * **deps-dev:** bump lint-staged from 16.4.0 to 17.0.2 in the root-npm-dependencies group across 1 directory ([#626](#626)) ([0e2f293](0e2f293)) * **deps-dev:** bump pydantic from 2.13.3 to 2.13.4 in the python-dependencies group across 1 directory ([#629](#629)) ([c24f1c1](c24f1c1)) * **deps-dev:** bump the python-dependencies group across 1 directory with 2 updates ([#514](#514)) ([8410f4b](8410f4b)) * **deps:** bump azure-core from 1.39.0 to 1.40.0 in /evaluation in the inference-dependencies group across 1 directory ([#597](#597)) ([6141db4](6141db4)) * **deps:** bump cryptography from 46.0.6 to 46.0.7 in /data-management/viewer ([#424](#424)) ([5fb6d58](5fb6d58)) * **deps:** bump cryptography from 46.0.6 to 46.0.7 in /data-management/viewer/backend ([#423](#423)) ([b516ad5](b516ad5)) * **deps:** bump lucide-react from 0.469.0 to 1.8.0 in /data-management/viewer/frontend ([#528](#528)) ([1bdfc1e](1bdfc1e)) * **deps:** bump nginx from `8aa63af` to `5616878` in /data-management/viewer/frontend ([#511](#511)) ([9e7e20e](9e7e20e)) * **deps:** bump nginx from 1.27-alpine to 1.29-alpine in /data-management/viewer/frontend ([#484](#484)) ([0e5c3dd](0e5c3dd)) * **deps:** bump node from `435f353` to `e49fd70` in /data-management/viewer/frontend ([#560](#560)) ([2884649](2884649)) * **deps:** bump react-is from 18.3.1 to 19.2.5 in /data-management/viewer/frontend ([#530](#530)) ([d51318c](d51318c)) * **deps:** bump tensordict from 0.11.0 to 0.12.1 in /evaluation in the inference-dependencies group across 1 directory ([#456](#456)) ([b24e733](b24e733)) * **deps:** bump the dataviewer-backend-dependencies group across 1 directory with 2 updates ([#531](#531)) ([171a1da](171a1da)) * **deps:** bump the dataviewer-backend-dependencies group across 1 directory with 5 updates ([#516](#516)) ([4f9a577](4f9a577)) * **deps:** bump the dataviewer-backend-dependencies group across 1 directory with 5 updates ([#602](#602)) ([6c27ab5](6c27ab5)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 2 updates ([#529](#529)) ([8646971](8646971)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 3 updates ([#601](#601)) ([d28fb50](d28fb50)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 3 updates ([#632](#632)) ([4ca5f3e](4ca5f3e)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 5 updates ([#515](#515)) ([109ee81](109ee81)) * **deps:** bump the dataviewer-frontend-patch-minor group across 1 directory with 6 updates ([#630](#630)) ([04d5dfd](04d5dfd)) * **deps:** bump the dataviewer-frontend-patch-minor group across 1 directory with 9 updates ([#563](#563)) ([c08f450](c08f450)) * **deps:** bump the docusaurus-dependencies group across 1 directory with 4 updates ([#627](#627)) ([f5825fc](f5825fc)) * **deps:** bump the docusaurus-dependencies group across 1 directory with 6 updates ([#599](#599)) ([b859344](b859344)) * **deps:** bump the github-actions group across 1 directory with 4 updates ([#459](#459)) ([2609c52](2609c52)) * **deps:** bump the github-actions group across 1 directory with 4 updates ([#517](#517)) ([f54bf5d](f54bf5d)) * **deps:** bump the inference-dependencies group across 1 directory with 11 updates ([#562](#562)) ([087f53a](087f53a)) * **deps:** bump the inference-dependencies group across 1 directory with 2 updates ([#628](#628)) ([4a3be47](4a3be47)) * **deps:** bump the pip group across 2 directories with 1 update ([#494](#494)) ([a14b6b0](a14b6b0)) * **docs:** update stale Python 3.11 references to 3.12 ([#575](#575)) ([6f85c95](6f85c95)) * **scripts:** remove redundant SC1091 disables in OSMO deploy scripts ([#509](#509)) ([ae1cb82](ae1cb82)) ### 🔒 Security * **build:** pin dependencies and hash-verify downloads ([#465](#465)) ([0289f49](0289f49)) * **build:** remediate dependency security advisories ([#479](#479)) ([7196d6d](7196d6d)) * **deps-dev:** bump basic-ftp from 5.2.1 to 5.2.2 ([#454](#454)) ([cb158f1](cb158f1)) * **deps-dev:** bump basic-ftp from 5.2.2 to 5.3.0 ([#495](#495)) ([e983b8b](e983b8b)) * **deps-dev:** bump hypothesis from 6.152.3 to 6.152.4 in the python-dependencies group ([#598](#598)) ([83384d2](83384d2)) * **deps-dev:** bump markdownlint-cli2 from 0.22.0 to 0.22.1 in the root-npm-dependencies group ([#559](#559)) ([32bde35](32bde35)) * **deps-dev:** bump picomatch from 2.3.1 to 2.3.2 in /docs/docusaurus ([#455](#455)) ([66f86ca](66f86ca)) * **deps-dev:** bump postcss from 8.5.10 to 8.5.12 in /data-management/viewer/frontend ([#569](#569)) ([a652dba](a652dba)) * **deps-dev:** bump the python-dependencies group with 2 updates ([#457](#457)) ([749d231](749d231)) * **deps-dev:** bump the python-dependencies group with 2 updates ([#485](#485)) ([71b44fd](71b44fd)) * **deps-dev:** bump the python-dependencies group with 3 updates ([#564](#564)) ([9fc52fd](9fc52fd)) * **deps-dev:** bump typescript from 6.0.2 to 6.0.3 in /docs/docusaurus in the docusaurus-dependencies group ([#513](#513)) ([5694dbc](5694dbc)) * **deps:** bump azureml/openmpi4.1.0-ubuntu22.04 from 20260303.v5 to 20260409.v4 in /evaluation/sil/docker ([#480](#480)) ([25d4df8](25d4df8)) * **deps:** bump cryptography from 46.0.6 to 46.0.7 in /evaluation in the uv group across 1 directory ([#538](#538)) ([92c5b2e](92c5b2e)) * **deps:** bump diffusers from 0.35.2 to 0.38.0 in /training/il/lerobot ([#638](#638)) ([6261d19](6261d19)) * **deps:** bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus ([#469](#469)) ([0458908](0458908)) * **deps:** bump gitpython and mako for lerobot IL training ([#623](#623)) ([9f8022b](9f8022b)) * **deps:** bump node from 24.14.1-slim to 25.9.0-slim in /data-management/viewer/frontend ([#482](#482)) ([1532d09](1532d09)) * **deps:** bump packaging from 26.0 to 26.1 in /evaluation in the inference-dependencies group ([#483](#483)) ([f4afb6c](f4afb6c)) * **deps:** bump pillow from 12.1.1 to 12.2.0 ([#467](#467)) ([39fb663](39fb663)) * **deps:** bump python from 3.11-slim to 3.14-slim in /data-management/viewer/backend ([#481](#481)) ([7af9dfc](7af9dfc)) * **deps:** bump the dataviewer-backend-dependencies group across 1 directory with 15 updates ([#428](#428)) ([e4446a2](e4446a2)) * **deps:** bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 4 updates ([#487](#487)) ([0f57c5b](0f57c5b)) * **deps:** bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 8 updates ([#566](#566)) ([d6e7869](d6e7869)) * **deps:** bump the dataviewer-dependencies group across 1 directory with 5 updates ([#464](#464)) ([24c208d](24c208d)) * **deps:** bump the dataviewer-dependencies group in /data-management/viewer with 2 updates ([#486](#486)) ([90149f3](90149f3)) * **deps:** bump the dataviewer-dependencies group in /data-management/viewer with 6 updates ([#565](#565)) ([f0bb36b](f0bb36b)) * **deps:** bump the dataviewer-frontend-patch-minor group across 1 directory with 10 updates ([#613](#613)) ([e481f83](e481f83)) * **deps:** bump the github-actions group across 1 directory with 4 updates ([#534](#534)) ([5478ab6](5478ab6)) * **deps:** bump the github-actions group with 2 updates ([#488](#488)) ([4e6ce98](4e6ce98)) * **deps:** bump the github-actions group with 3 updates ([#567](#567)) ([48c38dc](48c38dc)) * **deps:** bump the github-actions group with 3 updates ([#634](#634)) ([00cfb49](00cfb49)) * **deps:** bump the github-actions group with 6 updates ([#603](#603)) ([73eb79a](73eb79a)) * **deps:** bump the training-dependencies group across 1 directory with 23 updates ([#463](#463)) ([d5a8656](d5a8656)) * **deps:** bump yaml from 2.8.2 to 2.8.3 in /data-management/viewer/frontend ([#453](#453)) ([10449df](10449df)) * pytest harness, dependabot advisories, and OSSF Scorecard remediations ([#501](#501)) ([e8756e8](e8756e8)) * **scripts:** pin and hash-verify all shell script downloads ([#468](#468)) ([0c2bb9c](0c2bb9c)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: physical-ai-toolchain-release[bot] <267194360+physical-ai-toolchain-release[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
WilliamBerryiii
added a commit
that referenced
this pull request
May 13, 2026
#612) ## Description The `aw-dependabot-pr-review` agentic workflow used to fire on `pull_request_target`, which meant the resolver step captured a snapshot of `PR Validation` while it was still `pending` or `in_progress:*`, and the advisory review was posted before the orchestrator ever finished. PR #608 was the canonical example: the review correctly applied the Isaac Sim *numpy 2.x* ABI guard, but its CI banner quoted a stale `in_progress:in_progress` conclusion. This PR migrates the workflow to `workflow_run` keyed on `PR Validation` *completed*, reads the orchestrator's terminal conclusion straight from `context.payload.workflow_run.conclusion`, and pre-resolves failing per-surface check-runs once in the resolver step. The persona rubric is rewritten to consume those env vars and to map every terminal conclusion explicitly - `pending` and `in_progress:*` branches are gone because they are now unreachable. Related to #579. ## Type of Change - [ ] 🐛 Bug fix (non-breaking change fixing an issue) - [ ] ✨ New feature (non-breaking change adding functionality) - [ ] 💥 Breaking change (fix or feature causing existing functionality to change) - [ ] 📚 Documentation update - [ ] 🏗️ Infrastructure change (Terraform/IaC) - [x] ♻️ Refactoring (no functional changes) ## Component(s) Affected - [ ] `infrastructure/terraform/prerequisites/` - Azure subscription setup - [ ] `infrastructure/terraform/` - Terraform infrastructure - [ ] `infrastructure/setup/` - OSMO control plane / Helm - [ ] `workflows/` - Training and evaluation workflows - [ ] `training/` - Training pipelines and scripts - [ ] `docs/` - Documentation ## Changes ### Workflow trigger and resolver > Switching to `workflow_run` runs the agent step against the trusted, default-branch copy of the workflow, so the gh-aw compiler can auto-inject fork-PR exclusion and the `repository.id` guard. - Replaced `pull_request_target` with `workflow_run` on **`workflows: ["PR Validation"]`**, `types: [completed]`, `branches: ["dependabot/**"]`. The `branches:` filter on `workflow_run` matches the *triggering run's `head_branch`* (not the base), so `dependabot/**` is the only value that fires for Dependabot PRs — using `main` here was the [#583](#583) regression fixed in [#584](#584). The workflow-level `if:` filters on `workflow_run.event == 'pull_request'`, `workflow_run.actor.login == 'dependabot[bot]'`, and a whitelist of seven terminal conclusions. - Kept `on.bots: ["dependabot[bot]"]` and `on.roles: [admin, maintainer, write]` at the top level — gh-aw's `pre_activation` guard checks the triggering actor against `on.bots` / `on.roles` independently of the workflow `if:`, so dropping these would resurrect the [#585](#585) / [#586](#586) `User permission 'none'` activation block. - Added `checks: read` to `permissions:` for server-side check-run enumeration; existing `contents`, `pull-requests`, and `actions` scopes are unchanged. - Rewrote the *resolve-pr* step. It reads `context.payload.workflow_run`, prefers `workflow_run.pull_requests[0]`, and falls back to `search.issuesAndPullRequests` keyed on `head_sha` for the fork case. Both paths re-hydrate via `pulls.get` so `body` and `draft` are reliable. - Dropped the previous `listWorkflowRunsForRepo` lookup. **`PR_VALIDATION_CONCLUSION`** now reads directly from `run.conclusion`, which under `types: [completed]` is always one of `success`, `failure`, `cancelled`, `timed_out`, `neutral`, `skipped`, or `action_required`. - Added two new env vars exported by the resolver: - **`PR_VALIDATION_FAILING_CHECKS`** — JSON array of `{name, html_url, conclusion}` from `checks.listForRef(ref=pr.head.sha)` filtered to completed non-success/non-neutral/non-skipped runs. - **`PR_BODY`** — PR body hydrated server-side so the agent does not depend on the integrity-filtered MCP read of the PR. - New skip reasons in `PR_DEPENDABOT_SKIP_REASON`: `not-a-pr-run` and `pr-resolution-failed`, alongside the existing `not-dependabot` / `draft`. - Retargeted `safe-outputs`: - `submit-pull-request-review.target` → `${{ env.PR_NUMBER }}` - `add-comment.target` → `${{ env.PR_NUMBER }}` (was `triggering`, which is undefined under `workflow_run`) - `create-pull-request-review-comment.target` → `"*"` ### Persona verdict rubric > The agent now reasons over a *final* CI signal, so the rubric collapses to a clean terminal-conclusion map. - Rewrote the *Validation Signal* section in `.github/agents/dependabot-pr-reviewer.agent.md`. The persona is told the workflow runs after `PR Validation` reaches a terminal conclusion, and is explicitly forbidden from calling `checks.listForRef` or `commits/{sha}/check-runs` — it reads `PR_VALIDATION_FAILING_CHECKS` from the environment instead. - Reframed the *Surface to Check Run Map* as an informational lookup for mapping a failing check name back to its dependency surface. The persona no longer walks it via the API. - Rewrote the *Verdict Adjustment* block as an explicit terminal-conclusion map: - `success` + no static concern + no sticky high-risk trigger → `APPROVE`-eligible, citing the orchestrator conclusion plus an empty `PR_VALIDATION_FAILING_CHECKS`. - `failure | cancelled | timed_out | action_required` → `COMMENT`; body MUST quote every entry from `PR_VALIDATION_FAILING_CHECKS` (`name` plus `html_url`). - `neutral | skipped | unknown` or `PR_DEPENDABOT_SKIP_REASON == 'pr-resolution-failed'` → `COMMENT` with a `> [!CAUTION]` banner: *Deterministic CI signal unavailable (`{conclusion}`); review is advisory only.* - Preserved the sticky Isaac Sim ABI guard verbatim — a `numpy` 2.x bump still keeps the verdict at `COMMENT` and forces the `⚠️ Maintainer review recommended` banner regardless of CI conclusion. ### Workflow documentation and lock files - Rewrote the *Trigger Posture* and step-by-step prose in `aw-dependabot-pr-review.md` to describe the `workflow_run` execution model, the gh-aw compiler's auto-injected fork-PR exclusion and `repository.id` guard, and the new env-var contract. - Bumped `github/gh-aw-actions/setup` `v0.68.3` → `v0.71.1` in `.github/aw/actions-lock.json` (SHA `ba90f21…` → `239aec4…`), picked up by recompilation. - Regenerated `.github/workflows/aw-dependabot-pr-review.lock.yml` via the gh-aw compiler — diff reflects the trigger swap, the new env vars, and the setup-action SHA bump. No hand edits. ## Testing Performed - [ ] Terraform `plan` reviewed (no unexpected changes) - [ ] Terraform `apply` tested in dev environment - [ ] Training scripts tested locally with Isaac Sim - [ ] OSMO workflow submitted successfully - [ ] Smoke tests passed (`smoke_test_azure.py`) > None of the templated test surfaces apply — this PR only touches `.github/agents/` and `.github/workflows/`. Validation evidence: `npm run lint:md` and `npm run lint:yaml` pass on the changed files; the `aw-dependabot-pr-review.lock.yml` artifact is regenerated rather than hand-edited and matches the gh-aw compiler output for the new source. The behavioural change is observable on the next Dependabot PR — the advisory review will fire after `PR Validation` completes and quote the orchestrator's terminal conclusion plus any failing per-surface checks. ## Documentation Impact - [x] No documentation changes needed - [ ] Documentation updated in this PR - [ ] Documentation issue filed ## Bug Fix Checklist *Not a bug fix — this is a refactor of an agentic-workflow trigger surface.* - [ ] Linked to issue being fixed - [ ] Regression test included, OR - [ ] Justification for no regression test: ## Checklist - [x] My code follows the [project conventions](copilot-instructions.md) - [x] Commit messages follow [conventional commit format](instructions/commit-message.instructions.md) - [x] I have performed a self-review - [x] Documentation impact assessed above - [x] No new linting warnings introduced ## Related Issues Related to #579 ## Notes > The `min-integrity: approved` setting on `tools.github` is intentionally preserved. The agent's MCP PR-body read is therefore filtered, which is why the resolver hydrates `PR_BODY` from the REST API server-side — the persona consumes the env var rather than relying on the filtered MCP payload. - Lowering `min-integrity` to `unapproved` was rejected on prompt-injection grounds; the resolver-side hydration is the chosen mitigation. - `workflow_run` runs in default-branch context, which means changes to the AW workflow itself cannot be exercised by a Dependabot PR — this is the secure-by-design tradeoff documented in the GitHub Security Lab "preventing pwn requests" guide and aligns with the gh-aw `workflow_run` recommendation. ## Follow-up Tasks - Validate behaviour on a grouped Dependabot update that produces multiple `PR Validation` runs against the same head SHA — confirm that only the latest completed run drives the advisory review. - After the first live Dependabot PR runs through the new trigger, compare the posted review's CI banner against the orchestrator's final conclusion and the failing-check list to confirm the staleness regression observed in PR #608 is gone. - Confirm that `safe-outputs.submit-pull-request-review` and `add-comment` post successfully under `workflow_run` — the `target: ${{ env.PR_NUMBER }}` overrides are the [#588](#588) / [#589](#589) mitigation; a *Not in pull request context* skip in `safe_outputs` would mean the env var did not resolve. --------- Co-authored-by: Copilot <copilot@github.com> Co-authored-by: Bill Berry <WilliamBerryiii@users.noreply.github.com> Co-authored-by: Chris Montazer <17170709+rezatnoMsirhC@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The AW Dependabot PR Review agentic workflow was firing on Dependabot PRs but its review output was being silently dropped — every
create_pull_request_review_commentandsubmit_pull_request_reviewmessage was skipped by thesafe_outputsjob with "Not in pull request context", becauseworkflow_runevents don't carry agithub.event.pull_requestpayload. This PR replaces the trigger withpull_request_targetfiltered todependabot/**head branches authored bydependabot[bot], so safe-output handlers now receive a real PR payload and can post inline comments and a submitted review. The resolver step is rewritten to read the PR from the event payload and to queryPR Validationat runtime (since the two workflows now run in parallel), and the agent persona is updated to tolerate a pending CI conclusion by holding the verdict atCOMMENTuntil validation completes.Closes #588
Type of Change
Component(s) Affected
infrastructure/terraform/prerequisites/- Azure subscription setupinfrastructure/terraform/- Terraform infrastructureinfrastructure/setup/- OSMO control plane / Helmworkflows/- Training and evaluation workflowstraining/- Training pipelines and scriptsdocs/- DocumentationTesting Performed
planreviewed (no unexpected changes)applytested in dev environmentsmoke_test_azure.py)Documentation Impact
Bug Fix Checklist
Checklist
Changes
Workflow trigger
The workflow now runs in base-repo context with a real PR payload, rather than chained off
PR Validationcompletion.workflow_runtrigger withpull_request_targeton[opened, synchronize, reopened]againstmainin .github/workflows/aw-dependabot-pr-review.md.if:guard to require a non-draft PR whosehead.refstarts withdependabot/and whose author isdependabot[bot], layered on top of the existingbots:androles:activation gates.no-pr-resolvedvalue from the documentedPR_DEPENDABOT_SKIP_REASONset since the resolver now always has a PR payload.Resolver step rewrite
actions/github-scriptbody to readcontext.payload.pull_requestand fail fast when missing.actions.listWorkflowRunsForRepoquery keyed byhead_shawithevent: 'pull_request', locating the most recent run namedPR Validationand exportingPR_VALIDATION_CONCLUSIONas the completedconclusion,in_progress:<status>while running, orpendingwhen no run is found yet.try/catchso a transient API failure emits acore.warningrather than failing the step.Agent persona alignment
The agent now expects to run before
PR Validationfinishes and degrades gracefully when CI is still pending.pull_request_targetand to treat the CI conclusion aspendingwhen unavailable.PR_VALIDATION_CONCLUSIONvalues to includepending,in_progress:<status>, andunknown.pending,in_progress:*, andunknownkeep the verdict atCOMMENT.Compiled lock file
.mdto mirror the new trigger,if:guard, and resolver script. No semantic changes beyond the source declaration.