diff --git a/.github/workflows/opencode-agent.yml b/.github/workflows/opencode-agent.yml index f578b7d055..fedd2dbaa7 100644 --- a/.github/workflows/opencode-agent.yml +++ b/.github/workflows/opencode-agent.yml @@ -29,6 +29,18 @@ jobs: security-check: name: Security Validation runs-on: ubuntu-latest + # GH#4002: Skip when triggered by known review bots. Bot review comments + # (from CodeRabbit, Gemini, etc.) never contain /oc or /opencode triggers, + # but GitHub requires manual approval for workflow runs triggered by bot + # accounts, causing permanent action_required status on PRs. + if: > + github.actor != 'coderabbitai' && + github.actor != 'gemini-code-assist[bot]' && + github.actor != 'augment-code[bot]' && + github.actor != 'augmentcode[bot]' && + github.actor != 'copilot[bot]' && + github.actor != 'github-actions[bot]' && + github.actor != 'dependabot[bot]' # Needs write permissions to post rejection replies on untrusted comments. # Without this, the GITHUB_TOKEN defaults to read-only and the # createReplyForReviewComment/createComment calls fail with 403. GH#2973. diff --git a/.github/workflows/review-bot-gate.yml b/.github/workflows/review-bot-gate.yml index 667a4f8e87..17cb744ac0 100644 --- a/.github/workflows/review-bot-gate.yml +++ b/.github/workflows/review-bot-gate.yml @@ -32,11 +32,29 @@ jobs: review-bot-gate: name: Wait for AI Review Bots runs-on: ubuntu-latest - # Only run on PRs (issue_comment fires for PR comments too) + # Only run on PRs (issue_comment fires for PR comments too). + # GH#4002: Skip pull_request_review events from known review bots. + # GitHub requires manual approval for workflow runs triggered by bot + # accounts on pull_request_review and pull_request_review_comment events, + # causing permanent action_required status on PRs. The issue_comment + # event from bots does NOT require approval, so we allow it — this is + # the primary re-trigger path when a bot posts its review as a comment. if: > - github.event_name == 'pull_request' || - github.event_name == 'pull_request_review' || - (github.event_name == 'issue_comment' && github.event.issue.pull_request) + ( + github.event_name == 'pull_request' || + github.event_name == 'pull_request_review' || + (github.event_name == 'issue_comment' && github.event.issue.pull_request) + ) && !( + github.event_name == 'pull_request_review' && ( + github.actor == 'coderabbitai' || + github.actor == 'gemini-code-assist[bot]' || + github.actor == 'augment-code[bot]' || + github.actor == 'augmentcode[bot]' || + github.actor == 'copilot[bot]' || + github.actor == 'github-actions[bot]' || + github.actor == 'dependabot[bot]' + ) + ) permissions: pull-requests: read @@ -53,8 +71,12 @@ jobs: run: | echo "Checking PR #${PR_NUMBER} for AI review bot activity..." - # Known review bot patterns (case-insensitive matching on login) - # Add new bots here as they are configured + # Known review bot patterns (case-insensitive matching on login). + # Add new bots here as they are configured. + # NOTE: This list differs from the job-level if-condition which also + # excludes github-actions[bot] and dependabot[bot]. Those bots are + # excluded from triggering this workflow but are NOT code review bots + # whose reviews we wait for. KNOWN_BOTS=( "coderabbitai" "gemini-code-assist[bot]" diff --git a/configs/mcp-templates/opencode-github-workflow.yml b/configs/mcp-templates/opencode-github-workflow.yml index b9a1945058..7f2a7a28ee 100644 --- a/configs/mcp-templates/opencode-github-workflow.yml +++ b/configs/mcp-templates/opencode-github-workflow.yml @@ -22,10 +22,22 @@ on: jobs: opencode: - # Only run if comment contains /oc or /opencode - if: | - contains(github.event.comment.body, '/oc') || - contains(github.event.comment.body, '/opencode') + # Only run if comment contains /oc or /opencode. + # GH#4002: Also skip known review bots — their comments never contain + # trigger commands, and bot-triggered runs require manual approval, + # causing permanent action_required status on PRs. + if: > + ( + contains(github.event.comment.body, '/oc') || + contains(github.event.comment.body, '/opencode') + ) && + github.actor != 'coderabbitai' && + github.actor != 'gemini-code-assist[bot]' && + github.actor != 'augment-code[bot]' && + github.actor != 'augmentcode[bot]' && + github.actor != 'copilot[bot]' && + github.actor != 'github-actions[bot]' && + github.actor != 'dependabot[bot]' runs-on: ubuntu-latest permissions: