summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-05-14 01:16:59 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-05-14 01:16:59 +0300
commitd75de0c24b971a2d87e817ac3cb8e09cb816aac0 (patch)
tree7df810a4c0fd211fb84e528204379bb5a175549e
parent155fc647d54477245e9fff0cfbcb4cd4ef1d548b (diff)
downloadvyos-documentation-d75de0c24b971a2d87e817ac3cb8e09cb816aac0.tar.gz
vyos-documentation-d75de0c24b971a2d87e817ac3cb8e09cb816aac0.zip
ci(ai-validation): skip validation on Mergify-authored PRs
The upstream anthropics/claude-code-action rejects bot-initiated workflow runs with: Workflow initiated by non-human actor: mergify (type: Bot). Add bot to allowed_bots list or use '*' to allow all bots. This leaves a failing required check on every Mergify backport PR (#2025 today is the proximate symptom — circinus backport of #2016 is blocked from auto-merging by this). Per org policy, Mergify-authored PRs skip the bot-review flow entirely: the underlying change was already reviewed on the source PR. Re-running validation on the backport would also post duplicate findings. Fix: extend the existing `secrets-check` step (kept the id for backwards compat with the cascade of `if: steps.secrets-check.outputs.skip != 'true'` gates) to also short-circuit when `github.event.pull_request.user.login` equals `mergify[bot]`. Add a `skip_reason` output so the notify-on-PR step can distinguish bot-skip (silent) from missing-secrets (post a notice comment). Implementation notes: - PR author is bound through env: PR_AUTHOR (same pattern as secret bindings) so the template-expansion happens before bash sees the value as an already-quoted env variable. - Uses `printf '...%s\n' "$PR_AUTHOR"` for the notice line so the shell — not the YAML template engine — interpolates the author into the workflow log output. - Renamed step name to "Decide whether to skip validation" to reflect the broader scope; step id stays `secrets-check`. 🤖 Generated by [robots](https://vyos.io)
-rw-r--r--.github/workflows/ai-validation.yml37
1 files changed, 33 insertions, 4 deletions
diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml
index 2060e042..8d22ddb1 100644
--- a/.github/workflows/ai-validation.yml
+++ b/.github/workflows/ai-validation.yml
@@ -234,21 +234,45 @@ jobs:
# parses the script, so a secret containing a single quote, backtick,
# or $ could break the [ -z ... ] test syntactically or be evaluated.
# The env: mapping hands the value to bash as an already-quoted env
- # variable that "$VAR" expansion handles safely.
- - name: Check secrets availability
+ # variable that "$VAR" expansion handles safely. The same env-binding
+ # discipline applies to user-controlled inputs (PR author login below).
+ #
+ # Step id stays `secrets-check` for backwards compat with the cascade
+ # of `if: steps.secrets-check.outputs.skip != 'true'` gates below.
+ # Scope is now broader — also short-circuits on bot-authored PRs.
+ - name: Decide whether to skip validation
id: secrets-check
env:
+ PR_AUTHOR: ${{ github.event.pull_request.user.login }}
VYOS_APP_ID: ${{ secrets.VYOS_APP_ID }}
VYOS_APP_PRIVATE_KEY: ${{ secrets.VYOS_APP_PRIVATE_KEY }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
+ # Skip on Mergify-authored PRs (backport PRs, queue PRs). The
+ # underlying change was already reviewed on the source PR;
+ # re-validating the backport just produces duplicate findings
+ # and (worse) the upstream anthropics/claude-code-action rejects
+ # bot-initiated runs with:
+ # "Workflow initiated by non-human actor: mergify (type: Bot).
+ # Add bot to allowed_bots list or use '*' to allow all bots."
+ # which leaves a failing required check and blocks the backport
+ # from auto-merging. Org rule: Mergify-authored PRs skip bot
+ # review entirely.
+ if [ "$PR_AUTHOR" = "mergify[bot]" ]; then
+ echo "skip=true" >> "$GITHUB_OUTPUT"
+ echo "skip_reason=bot-author" >> "$GITHUB_OUTPUT"
+ printf '::notice::Skipping AI validation — PR authored by %s (already reviewed on source PR)\n' "$PR_AUTHOR"
+ exit 0
+ fi
if [ -z "$VYOS_APP_ID" ] \
|| [ -z "$VYOS_APP_PRIVATE_KEY" ] \
|| [ -z "$ANTHROPIC_API_KEY" ]; then
echo "skip=true" >> "$GITHUB_OUTPUT"
+ echo "skip_reason=missing-secrets" >> "$GITHUB_OUTPUT"
echo "::notice::Skipping AI validation — required secrets not available"
else
echo "skip=false" >> "$GITHUB_OUTPUT"
+ echo "skip_reason=" >> "$GITHUB_OUTPUT"
fi
# Surface the skip to PR authors as a normal review comment in
@@ -260,8 +284,13 @@ jobs:
# flooding the PR conversation on rapid push sequences while the
# secrets stay missing. Open/reopen is the right moment to inform
# the PR author once; further pushes don't add new information.
- - name: Notify on PR (when skipping)
- if: steps.secrets-check.outputs.skip == 'true' && (github.event.action == 'opened' || github.event.action == 'reopened')
+ #
+ # Gate also on skip_reason == 'missing-secrets'. We deliberately do
+ # NOT post a notice on bot-author skips — every Mergify backport
+ # would carry a noise comment that adds no signal to a maintainer
+ # who knows the source PR was already reviewed.
+ - name: Notify on PR (when skipping for missing secrets)
+ if: steps.secrets-check.outputs.skip_reason == 'missing-secrets' && (github.event.action == 'opened' || github.event.action == 'reopened')
env:
GH_TOKEN: ${{ github.token }}
run: |