Skip to content

fix(ci): skip claude-review for Dependabot PRs (root cause of #115–#119 failures)#122

Merged
TexasCoding merged 1 commit into
mainfrom
fix/skip-claude-review-for-dependabot
May 17, 2026
Merged

fix(ci): skip claude-review for Dependabot PRs (root cause of #115–#119 failures)#122
TexasCoding merged 1 commit into
mainfrom
fix/skip-claude-review-for-dependabot

Conversation

@TexasCoding

Copy link
Copy Markdown
Owner

Summary

All 5 currently-open Dependabot PRs (#115, #116, #117, #118, #119) have the same single failing check: claude-review. Tests + drift-check pass on every one.

Root cause: GitHub does not expose repo secrets — including CLAUDE_CODE_OAUTH_TOKEN — to workflow runs triggered by Dependabot-authored PRs. This is a deliberate security default (a malicious dependency could otherwise exfiltrate credentials via a crafted PR). The action lands in the runner with empty credentials and exits 1 before doing anything useful.

Evidence from the log on PR #115's run (25990801467):

ANTHROPIC_API_KEY:

Fix: add if: github.actor != 'dependabot[bot]' at the job level. Skips the run entirely rather than firing and failing. Dep-bump diffs are low-signal for AI review anyway (version range changes, not behavior).

Alternative considered: configure Dependabot secrets (a separate secret store GitHub exposes to dependabot-triggered runs). Rejected — extra complexity for an action that doesn't add review value on version bumps.

After this merges, the 5 open Dependabot PRs will need a re-trigger (close/reopen, or push a no-op) for the skip to take effect on a fresh run.

Test plan

  • YAML parses cleanly
  • After merge, retrigger one Dependabot PR and confirm claude-review is skipped (not failed)

Root cause: GitHub does not expose repo secrets (including
CLAUDE_CODE_OAUTH_TOKEN) to workflow runs triggered by dependabot-
authored PRs — a security default that blocks malicious deps from
exfiltrating credentials. The action exits with an empty-credential
failure on every dep bump, so all 5 currently-open dependabot PRs
(#115-#119) show a red claude-review check despite tests + drift
being green.

Skip the job entirely for dependabot[bot] rather than try to wire
Dependabot secrets — dep-version-bump diffs are low-signal for AI
review anyway.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@TexasCoding TexasCoding merged commit 927b837 into main May 17, 2026
3 of 4 checks passed
@TexasCoding TexasCoding deleted the fix/skip-claude-review-for-dependabot branch May 17, 2026 12:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant