From 8f4df4b9a5e088d966d8ce7b48202f2a7414ac71 Mon Sep 17 00:00:00 2001 From: Jeff West Date: Sun, 17 May 2026 07:39:11 -0500 Subject: [PATCH] fix(ci): skip claude-review job for Dependabot PRs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Root cause: GitHub does not expose repo secrets (including CLAUDE_CODE_OAUTH_TOKEN) to workflow runs triggered by dependabot- authored PRs — a security default that blocks malicious deps from exfiltrating credentials. The action exits with an empty-credential failure on every dep bump, so all 5 currently-open dependabot PRs (#115-#119) show a red claude-review check despite tests + drift being green. Skip the job entirely for dependabot[bot] rather than try to wire Dependabot secrets — dep-version-bump diffs are low-signal for AI review anyway. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/claude-code-review.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index b14868e..bbfd7ed 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -12,11 +12,11 @@ on: jobs: claude-review: - # Optional: Filter by PR author - # if: | - # github.event.pull_request.user.login == 'external-contributor' || - # github.event.pull_request.user.login == 'new-developer' || - # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' + # Skip Dependabot PRs — GitHub does not expose repo secrets (including + # CLAUDE_CODE_OAUTH_TOKEN) to dependabot-triggered runs, so the action + # exits with an empty-credential failure on every dep bump. The diff is + # also low-signal for review (version bumps, not behavior changes). + if: github.actor != 'dependabot[bot]' runs-on: ubuntu-latest permissions: