From 252416ebf0487e2dd936db797a7a6f834b0e1cca Mon Sep 17 00:00:00 2001 From: Alexey <1556417+alex-solovyev@users.noreply.github.com> Date: Mon, 9 Mar 2026 21:57:08 +0100 Subject: [PATCH 1/2] fix: skip bot-triggered workflow runs that cause action_required status on PRs GitHub requires manual approval for workflow runs triggered by bot accounts on pull_request_review and pull_request_review_comment events. When review bots (CodeRabbit, Gemini, etc.) post reviews, both the OpenCode AI Agent and Review Bot Gate workflows fire but get stuck at action_required, creating permanent stale status checks on PRs. Fix: Add job-level 'if' conditions to skip execution when the triggering actor is a known review bot. For the Review Bot Gate, only filter on pull_request_review events (issue_comment from bots works fine and is the primary re-trigger path). For the OpenCode AI Agent, filter all bot actors since bots never post /oc or /opencode trigger commands. Also updates the opencode-github-workflow.yml template with the same fix. Closes #4002 --- .github/workflows/opencode-agent.yml | 12 +++++++++ .github/workflows/review-bot-gate.yml | 26 ++++++++++++++++--- .../opencode-github-workflow.yml | 18 ++++++++++--- 3 files changed, 48 insertions(+), 8 deletions(-) diff --git a/.github/workflows/opencode-agent.yml b/.github/workflows/opencode-agent.yml index f578b7d055..fedd2dbaa7 100644 --- a/.github/workflows/opencode-agent.yml +++ b/.github/workflows/opencode-agent.yml @@ -29,6 +29,18 @@ jobs: security-check: name: Security Validation runs-on: ubuntu-latest + # GH#4002: Skip when triggered by known review bots. Bot review comments + # (from CodeRabbit, Gemini, etc.) never contain /oc or /opencode triggers, + # but GitHub requires manual approval for workflow runs triggered by bot + # accounts, causing permanent action_required status on PRs. + if: > + github.actor != 'coderabbitai' && + github.actor != 'gemini-code-assist[bot]' && + github.actor != 'augment-code[bot]' && + github.actor != 'augmentcode[bot]' && + github.actor != 'copilot[bot]' && + github.actor != 'github-actions[bot]' && + github.actor != 'dependabot[bot]' # Needs write permissions to post rejection replies on untrusted comments. # Without this, the GITHUB_TOKEN defaults to read-only and the # createReplyForReviewComment/createComment calls fail with 403. GH#2973. diff --git a/.github/workflows/review-bot-gate.yml b/.github/workflows/review-bot-gate.yml index 667a4f8e87..b1e00342ea 100644 --- a/.github/workflows/review-bot-gate.yml +++ b/.github/workflows/review-bot-gate.yml @@ -32,11 +32,29 @@ jobs: review-bot-gate: name: Wait for AI Review Bots runs-on: ubuntu-latest - # Only run on PRs (issue_comment fires for PR comments too) + # Only run on PRs (issue_comment fires for PR comments too). + # GH#4002: Skip pull_request_review events from known review bots. + # GitHub requires manual approval for workflow runs triggered by bot + # accounts on pull_request_review and pull_request_review_comment events, + # causing permanent action_required status on PRs. The issue_comment + # event from bots does NOT require approval, so we allow it — this is + # the primary re-trigger path when a bot posts its review as a comment. if: > - github.event_name == 'pull_request' || - github.event_name == 'pull_request_review' || - (github.event_name == 'issue_comment' && github.event.issue.pull_request) + ( + github.event_name == 'pull_request' || + github.event_name == 'pull_request_review' || + (github.event_name == 'issue_comment' && github.event.issue.pull_request) + ) && !( + github.event_name == 'pull_request_review' && ( + github.actor == 'coderabbitai' || + github.actor == 'gemini-code-assist[bot]' || + github.actor == 'augment-code[bot]' || + github.actor == 'augmentcode[bot]' || + github.actor == 'copilot[bot]' || + github.actor == 'github-actions[bot]' || + github.actor == 'dependabot[bot]' + ) + ) permissions: pull-requests: read diff --git a/configs/mcp-templates/opencode-github-workflow.yml b/configs/mcp-templates/opencode-github-workflow.yml index b9a1945058..e9b7824b19 100644 --- a/configs/mcp-templates/opencode-github-workflow.yml +++ b/configs/mcp-templates/opencode-github-workflow.yml @@ -22,10 +22,20 @@ on: jobs: opencode: - # Only run if comment contains /oc or /opencode - if: | - contains(github.event.comment.body, '/oc') || - contains(github.event.comment.body, '/opencode') + # Only run if comment contains /oc or /opencode. + # GH#4002: Also skip known review bots — their comments never contain + # trigger commands, and bot-triggered runs require manual approval, + # causing permanent action_required status on PRs. + if: > + ( + contains(github.event.comment.body, '/oc') || + contains(github.event.comment.body, '/opencode') + ) && + github.actor != 'coderabbitai' && + github.actor != 'gemini-code-assist[bot]' && + github.actor != 'copilot[bot]' && + github.actor != 'github-actions[bot]' && + github.actor != 'dependabot[bot]' runs-on: ubuntu-latest permissions: From b676bc2e523f7ad38ad245cbb665aa2809348a72 Mon Sep 17 00:00:00 2001 From: Alexey <1556417+alex-solovyev@users.noreply.github.com> Date: Mon, 9 Mar 2026 22:16:11 +0100 Subject: [PATCH 2/2] =?UTF-8?q?fix:=20address=20review=20feedback=20?= =?UTF-8?q?=E2=80=94=20add=20missing=20Augment=20bots=20and=20clarify=20KN?= =?UTF-8?q?OWN=5FBOTS?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add augment-code[bot] and augmentcode[bot] to opencode-github-workflow.yml template to match the deployed opencode-agent.yml bot exclusion list - Add clarifying comment to review-bot-gate.yml explaining why KNOWN_BOTS array intentionally differs from the job-level if-condition (trigger exclusion vs review-bot identification serve different purposes) --- .github/workflows/review-bot-gate.yml | 8 ++++++-- configs/mcp-templates/opencode-github-workflow.yml | 2 ++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/review-bot-gate.yml b/.github/workflows/review-bot-gate.yml index b1e00342ea..17cb744ac0 100644 --- a/.github/workflows/review-bot-gate.yml +++ b/.github/workflows/review-bot-gate.yml @@ -71,8 +71,12 @@ jobs: run: | echo "Checking PR #${PR_NUMBER} for AI review bot activity..." - # Known review bot patterns (case-insensitive matching on login) - # Add new bots here as they are configured + # Known review bot patterns (case-insensitive matching on login). + # Add new bots here as they are configured. + # NOTE: This list differs from the job-level if-condition which also + # excludes github-actions[bot] and dependabot[bot]. Those bots are + # excluded from triggering this workflow but are NOT code review bots + # whose reviews we wait for. KNOWN_BOTS=( "coderabbitai" "gemini-code-assist[bot]" diff --git a/configs/mcp-templates/opencode-github-workflow.yml b/configs/mcp-templates/opencode-github-workflow.yml index e9b7824b19..7f2a7a28ee 100644 --- a/configs/mcp-templates/opencode-github-workflow.yml +++ b/configs/mcp-templates/opencode-github-workflow.yml @@ -33,6 +33,8 @@ jobs: ) && github.actor != 'coderabbitai' && github.actor != 'gemini-code-assist[bot]' && + github.actor != 'augment-code[bot]' && + github.actor != 'augmentcode[bot]' && github.actor != 'copilot[bot]' && github.actor != 'github-actions[bot]' && github.actor != 'dependabot[bot]'