Add configurable allowed-bot-users workflow input#229
Merged
Conversation
|
Caution Review failedThe pull request is closed. 📝 WalkthroughWalkthroughThis pull request introduces a new workflow input parameter Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@github/workflows/gh-aw-pr-review.md`:
- Around line 32-36: The workflows use a single YAML string input
"allowed-bot-users" which is being treated as one array element when converted
to "bots"; update each workflow to accept a JSON array string and parse it with
fromJSON rather than relying on CSV parsing: change the usage that populates the
"bots" input to use fromJSON(inputs.allowed-bot-users) (e.g., where "bots" is
set) and update callers to pass a JSON array like '["bot1[bot]","bot2[bot]"]';
alternatively, if you must accept comma-separated values, add a preprocessing
shell step that splits inputs.allowed-bot-users into individual entries and
passes the resulting array to downstream steps instead of leaving "bots" as a
single CSV string — apply this fix for the referenced workflows that define or
use the allowed-bot-users input and the "bots" field.
Add proposed workflow shim copies under github/workflows with a new `allowed-bot-users` workflow_call input and wire bot allowlists to `${{ inputs.allowed-bot-users }}`. Update corresponding workflow READMEs to document the new input.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Regenerate lock files so GH_AW_ALLOWED_BOTS uses the
${{ inputs.allowed-bot-users }} expression at runtime.
Co-authored-by: Cursor <cursoragent@cursor.com>
strawgate
force-pushed
the
main-a6a2034248ea35ef
branch
from
acf0c3a to
5f1111d
Compare
Extend the configurable bot allowlist to all 31 workflows (not just the original 6). Since these are all reusable workflows, callers control the trigger events and any of them could be wired to interactive events where a bot is the actor. - 30 workflow_call workflows: add `allowed-bot-users` input with default `github-actions[bot]` and wire `bots:` to the input - 1 standalone workflow (upgrade-check): add hardcoded `bots:` entry - Update all 24 READMEs with the new input documentation - Recompile all lock files Co-authored-by: Cursor <cursoragent@cursor.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
Author
There was a problem hiding this comment.
APPROVE — I found no blocking issues in this PR.
What is this? | From workflow: PR Review Agent
Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. for issue #229
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/gh-aw-upgrade-check.lock.yml (1)
425-426:⚠️ Potential issue | 🟡 MinorPre-existing issue: References to non-existent job outputs.
These environment variables reference
needs.pre_activation.outputs, but there is nopre_activationjob defined in this workflow. While this wasn't introduced by the current PR, these references will resolve to empty values at runtime.Consider either:
- Removing these unused environment variable assignments
- Adding the missing
pre_activationjob if bot/role checking is intended🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-upgrade-check.lock.yml around lines 425 - 426, The workflow sets environment vars GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED and GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND from needs.pre_activation.outputs but there is no pre_activation job; either remove these environment assignments or add a pre_activation job that exposes outputs activated and matched_command so the values resolve; locate the GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED / GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND entries and either delete them or implement a pre_activation job that sets outputs..github/workflows/gh-aw-breaking-change-detect.md (1)
29-44:⚠️ Potential issue | 🟠 MajorSplit
allowed-bot-usersinto a YAML list for thebotsfield.The
botsfield expects a YAML list of discrete bot usernames (e.g.,["bot1[bot]", "bot2[bot]"]), but currently wraps the entireallowed-bot-usersinput as a single string item. If multiple comma-separated bots are provided (e.g.,"github-actions[bot],dependabot[bot]"), the entire string will be treated as one username and fail to match. Either split the CSV string using a shell step or change the input to accept a JSON array format directly.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-breaking-change-detect.md around lines 29 - 44, The bots field is receiving the entire inputs.allowed-bot-users string as a single list item so comma-separated usernames won't be recognized; update the workflow to provide bots as a real YAML/JSON array instead of a single string by either (A) changing the allowed-bot-users input to accept a JSON array and pass that array into the bots field, or (B) add a step that splits the CSV from inputs.allowed-bot-users into an actual array (e.g., using a shell or action to convert CSV → JSON array) and then set that array into the bots field; reference the inputs.allowed-bot-users input and the bots field in your change so the workflow consumes discrete usernames rather than one concatenated string.
🧹 Nitpick comments (1)
.github/workflows/gh-aw-downstream-health.md (1)
98-101: Keep the prompt consistent with configurable bot input.The prompt hardcodes
github-actions[bot]. If callers customizeallowed-bot-users, the agent instructions become outdated. Consider parameterizing the prompt text or referencing the input explicitly.♻️ Suggested tweak
- Look for recent comments and PR reviews by `github-actions[bot]` in the last 24 hours: - - Use `github-search_issues` with query: `repo:{owner}/{repo} commenter:github-actions[bot] updated:>={date}` - - Use `github-search_pull_requests` with query: `repo:{owner}/{repo} reviewed-by:github-actions[bot] updated:>={date}` + Look for recent comments and PR reviews by allowed bots in the last 24 hours (from `allowed-bot-users`): + - Use `github-search_issues` with query: `repo:{owner}/{repo} commenter:{bot} updated:>={date}` + - Use `github-search_pull_requests` with query: `repo:{owner}/{repo} reviewed-by:{bot} updated:>={date}`🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-downstream-health.md around lines 98 - 101, Replace the hardcoded "github-actions[bot]" in the two search queries with the configurable bot input (e.g., the variable or input representing allowed bot users such as allowed-bot-users or inputs.allowed_bot_users) so the prompt builds queries dynamically; update the lines that construct the github-search_issues and github-search_pull_requests queries to interpolate that variable (or reference the input explicitly) instead of the literal "github-actions[bot]" so callers who customize allowed-bot-users are respected.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/gh-aw-upgrade-check.lock.yml:
- Around line 40-41: The commented notes about a "pre_activation" job and the
commented-out bots configuration are misleading because this workflow only
defines the jobs activation, agent, conclusion, detection, and safe_outputs;
either remove those comment lines entirely to avoid confusion or add a hardcoded
bots: entry for the standalone upgrade-check workflow (e.g., include bots: [
"github-actions[bot]" ]) in the workflow inputs/top-level config as described in
the PR; update the comment or code near the existing commented lines so they
accurately reflect the actual jobs (activation, agent, conclusion, detection,
safe_outputs) and the chosen approach (remove comments if bot checking is not
used, or enable the bots entry if required).
---
Outside diff comments:
In @.github/workflows/gh-aw-breaking-change-detect.md:
- Around line 29-44: The bots field is receiving the entire
inputs.allowed-bot-users string as a single list item so comma-separated
usernames won't be recognized; update the workflow to provide bots as a real
YAML/JSON array instead of a single string by either (A) changing the
allowed-bot-users input to accept a JSON array and pass that array into the bots
field, or (B) add a step that splits the CSV from inputs.allowed-bot-users into
an actual array (e.g., using a shell or action to convert CSV → JSON array) and
then set that array into the bots field; reference the inputs.allowed-bot-users
input and the bots field in your change so the workflow consumes discrete
usernames rather than one concatenated string.
In @.github/workflows/gh-aw-upgrade-check.lock.yml:
- Around line 425-426: The workflow sets environment vars
GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED and
GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND from
needs.pre_activation.outputs but there is no pre_activation job; either remove
these environment assignments or add a pre_activation job that exposes outputs
activated and matched_command so the values resolve; locate the
GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED /
GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_MATCHED_COMMAND entries and either delete
them or implement a pre_activation job that sets outputs.
---
Duplicate comments:
In @.github/workflows/gh-aw-agent-suggestions.md:
- Around line 28-43: The workflow currently passes the comma-separated string
input "allowed-bot-users" directly into the "bots" list which yields a single
CSV string entry instead of an array; update the template so the "bots" value is
an actual array by splitting the "inputs.allowed-bot-users" CSV on commas,
trimming whitespace, and omitting empty entries before expanding into the "bots"
array (i.e. transform inputs.allowed-bot-users -> an array and use that array
for bots); reference the "allowed-bot-users" input and the "bots" key when
making the change.
In @.github/workflows/gh-aw-bug-hunter.md:
- Around line 43-44: The `bots` entry currently uses a single array element "${{
inputs.allowed-bot-users }}", which will register the entire input string as one
bot; update the workflow so multiple bot usernames are expanded: either parse
the comma-separated input into separate array elements (split the
inputs.allowed-bot-users value on commas/whitespace and emit each trimmed
username as its own array item for `bots`) or change the input to a
multi-line/matrix style and iterate over each line as an array element; locate
the `bots` key and the `inputs.allowed-bot-users` reference in the workflow and
implement the chosen parsing/iteration approach so multiple bots are registered
correctly.
In @.github/workflows/gh-aw-docs-drift-external.md:
- Around line 29-49: The CSV allowlist in the workflow uses the single string
input inputs.allowed-bot-users and then injects it directly into the bots array,
which will fail when multiple comma-separated bot names are provided; change the
input to accept a YAML/JSON array or split-and-trim the allowed-bot-users string
before populating the bots list. Specifically, update the workflow to either (a)
make allowed-bot-users a multiline/array input and feed that into the bots key,
or (b) add a step that parses inputs.allowed-bot-users by splitting on commas
and trimming whitespace to produce an array, then reference that parsed array
for bots so the bots entry correctly contains multiple entries instead of one
comma string.
In @.github/workflows/gh-aw-project-summary.md:
- Around line 29-44: The workflow uses a CSV string input allowed-bot-users
(inputs.allowed-bot-users) directly as the bots list, which will not correctly
handle comma-separated values; change the workflow to parse the CSV into an
array (split on commas, trim whitespace, filter out empty entries) before
assigning to the bots list (or use a step that converts the CSV to a JSON array
and references that output), ensuring inputs.allowed-bot-users, the bots section
and any consumer steps use the parsed array so multiple bot usernames are
handled correctly.
---
Nitpick comments:
In @.github/workflows/gh-aw-downstream-health.md:
- Around line 98-101: Replace the hardcoded "github-actions[bot]" in the two
search queries with the configurable bot input (e.g., the variable or input
representing allowed bot users such as allowed-bot-users or
inputs.allowed_bot_users) so the prompt builds queries dynamically; update the
lines that construct the github-search_issues and github-search_pull_requests
queries to interpolate that variable (or reference the input explicitly) instead
of the literal "github-actions[bot]" so callers who customize allowed-bot-users
are respected.
Comment on lines
+40
to
+41
| # bots: # Bots processed as bot check in pre-activation job | ||
| # - github-actions[bot] # Bots processed as bot check in pre-activation job |
There was a problem hiding this comment.
Misleading comments reference non-existent job, and bot configuration is unexpectedly commented out.
The comments claim bots are processed in a pre-activation job, but this workflow has no pre_activation job defined (only activation, agent, conclusion, detection, and safe_outputs).
Additionally, according to the PR description, the upgrade-check workflow is a standalone workflow that should have a hardcoded bots: entry rather than a configurable input. However, both the bots: field and the github-actions[bot] entry are commented out here.
Expected configuration for standalone workflow
Based on the PR objectives, this should likely be:
- # bots: # Bots processed as bot check in pre-activation job
- # - github-actions[bot] # Bots processed as bot check in pre-activation job
+ bots:
+ - github-actions[bot]Or if bot checking isn't needed for this scheduled workflow, these comment lines should be removed to avoid confusion.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| # bots: # Bots processed as bot check in pre-activation job | |
| # - github-actions[bot] # Bots processed as bot check in pre-activation job | |
| bots: | |
| - github-actions[bot] |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-upgrade-check.lock.yml around lines 40 - 41, The
commented notes about a "pre_activation" job and the commented-out bots
configuration are misleading because this workflow only defines the jobs
activation, agent, conclusion, detection, and safe_outputs; either remove those
comment lines entirely to avoid confusion or add a hardcoded bots: entry for the
standalone upgrade-check workflow (e.g., include bots: [ "github-actions[bot]"
]) in the workflow inputs/top-level config as described in the PR; update the
comment or code near the existing commented lines so they accurately reflect the
actual jobs (activation, agent, conclusion, detection, safe_outputs) and the
chosen approach (remove comments if bot checking is not used, or enable the bots
entry if required).
This was referenced Feb 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
allowed-bot-usersworkflow input to all 31 agent workflows, enabling callers to allowlist bot actors that can trigger workflowsgithub-actions[bot]; accepts comma-separated usernames for multiple bots (e.g.github-actions[bot],dependabot[bot])bots:field underon:to${{ inputs.allowed-bot-users }}so the pre-activationcheck_membershipstep respects the caller's configurationupgrade-check(standalone schedule/dispatch, noworkflow_call) uses a hardcodedbots:entry insteadHow it works
The
bots:frontmatter field compiles intoGH_AW_ALLOWED_BOTSin the lock file's pre-activation job. This follows the same comma-separated pattern asGH_AW_REQUIRED_ROLES— thecheck_membership.cjsruntime splits the value and checks ifgithub.actormatches any entry.Test plan
GH_AW_ALLOWED_BOTS: ${{ inputs.allowed-bot-users }}present in all 30workflow_calllock filesupgrade-checklock file correctly omits membership check (schedule-only)pr-reviewsuccessfullyFixes #227
Summary by CodeRabbit
allowed-bot-usersconfiguration input to all GitHub agent workflows, enabling customization of allowlisted bot actors across automated workflows (defaults togithub-actions[bot])