From d75de0c24b971a2d87e817ac3cb8e09cb816aac0 Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Thu, 14 May 2026 01:16:59 +0300 Subject: ci(ai-validation): skip validation on Mergify-authored PRs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The upstream anthropics/claude-code-action rejects bot-initiated workflow runs with: Workflow initiated by non-human actor: mergify (type: Bot). Add bot to allowed_bots list or use '*' to allow all bots. This leaves a failing required check on every Mergify backport PR (#2025 today is the proximate symptom — circinus backport of #2016 is blocked from auto-merging by this). Per org policy, Mergify-authored PRs skip the bot-review flow entirely: the underlying change was already reviewed on the source PR. Re-running validation on the backport would also post duplicate findings. Fix: extend the existing `secrets-check` step (kept the id for backwards compat with the cascade of `if: steps.secrets-check.outputs.skip != 'true'` gates) to also short-circuit when `github.event.pull_request.user.login` equals `mergify[bot]`. Add a `skip_reason` output so the notify-on-PR step can distinguish bot-skip (silent) from missing-secrets (post a notice comment). Implementation notes: - PR author is bound through env: PR_AUTHOR (same pattern as secret bindings) so the template-expansion happens before bash sees the value as an already-quoted env variable. - Uses `printf '...%s\n' "$PR_AUTHOR"` for the notice line so the shell — not the YAML template engine — interpolates the author into the workflow log output. - Renamed step name to "Decide whether to skip validation" to reflect the broader scope; step id stays `secrets-check`. 🤖 Generated by [robots](https://vyos.io) --- .github/workflows/ai-validation.yml | 37 +++++++++++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 4 deletions(-) (limited to '.github/workflows/ai-validation.yml') diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index 2060e042..8d22ddb1 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -234,21 +234,45 @@ jobs: # parses the script, so a secret containing a single quote, backtick, # or $ could break the [ -z ... ] test syntactically or be evaluated. # The env: mapping hands the value to bash as an already-quoted env - # variable that "$VAR" expansion handles safely. - - name: Check secrets availability + # variable that "$VAR" expansion handles safely. The same env-binding + # discipline applies to user-controlled inputs (PR author login below). + # + # Step id stays `secrets-check` for backwards compat with the cascade + # of `if: steps.secrets-check.outputs.skip != 'true'` gates below. + # Scope is now broader — also short-circuits on bot-authored PRs. + - name: Decide whether to skip validation id: secrets-check env: + PR_AUTHOR: ${{ github.event.pull_request.user.login }} VYOS_APP_ID: ${{ secrets.VYOS_APP_ID }} VYOS_APP_PRIVATE_KEY: ${{ secrets.VYOS_APP_PRIVATE_KEY }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} run: | + # Skip on Mergify-authored PRs (backport PRs, queue PRs). The + # underlying change was already reviewed on the source PR; + # re-validating the backport just produces duplicate findings + # and (worse) the upstream anthropics/claude-code-action rejects + # bot-initiated runs with: + # "Workflow initiated by non-human actor: mergify (type: Bot). + # Add bot to allowed_bots list or use '*' to allow all bots." + # which leaves a failing required check and blocks the backport + # from auto-merging. Org rule: Mergify-authored PRs skip bot + # review entirely. + if [ "$PR_AUTHOR" = "mergify[bot]" ]; then + echo "skip=true" >> "$GITHUB_OUTPUT" + echo "skip_reason=bot-author" >> "$GITHUB_OUTPUT" + printf '::notice::Skipping AI validation — PR authored by %s (already reviewed on source PR)\n' "$PR_AUTHOR" + exit 0 + fi if [ -z "$VYOS_APP_ID" ] \ || [ -z "$VYOS_APP_PRIVATE_KEY" ] \ || [ -z "$ANTHROPIC_API_KEY" ]; then echo "skip=true" >> "$GITHUB_OUTPUT" + echo "skip_reason=missing-secrets" >> "$GITHUB_OUTPUT" echo "::notice::Skipping AI validation — required secrets not available" else echo "skip=false" >> "$GITHUB_OUTPUT" + echo "skip_reason=" >> "$GITHUB_OUTPUT" fi # Surface the skip to PR authors as a normal review comment in @@ -260,8 +284,13 @@ jobs: # flooding the PR conversation on rapid push sequences while the # secrets stay missing. Open/reopen is the right moment to inform # the PR author once; further pushes don't add new information. - - name: Notify on PR (when skipping) - if: steps.secrets-check.outputs.skip == 'true' && (github.event.action == 'opened' || github.event.action == 'reopened') + # + # Gate also on skip_reason == 'missing-secrets'. We deliberately do + # NOT post a notice on bot-author skips — every Mergify backport + # would carry a noise comment that adds no signal to a maintainer + # who knows the source PR was already reviewed. + - name: Notify on PR (when skipping for missing secrets) + if: steps.secrets-check.outputs.skip_reason == 'missing-secrets' && (github.event.action == 'opened' || github.event.action == 'reopened') env: GH_TOKEN: ${{ github.token }} run: | -- cgit v1.2.3