Support updatecli in gh-aw-dependency-review

[Copilot]

gh-aw-dependency-review previously triggered only for Dependabot/Renovate PRs. This updates the trigger logic to also include Updatecli PRs, using branch-name detection because Updatecli bot usernames are installation-specific while branch names are consistently prefixed with updatecli.

Changes

• Updated trigger conditions in:

  • .github/workflows/trigger-dependency-review.yml
  • gh-agent-workflows/dependency-review/example.yml

• Added startsWith(github.head_ref, 'updatecli') alongside existing bot-user checks.

• Updated .github/workflows/gh-aw-dependency-review.md text to explicitly include Updatecli in the workflow description and agent prompt.

• Updated docs to reflect the expanded trigger coverage:

  • gh-agent-workflows/dependency-review/README.md
  • docs/workflows/gh-agent-workflows.md

• Fixes Support updatecli for the dependency agentic workflow called gh-aw-dependency-review #532

Generated by Update PR Body for issue #533

[strawgate]

@copilot doesnt that workflow have an allowed bots list we also need to put that in?

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 466621f and 9c4fd5d.

📒 Files selected for processing (5)

• .github/workflows/gh-aw-dependency-review.md
• .github/workflows/trigger-dependency-review.yml
• docs/workflows/gh-agent-workflows.md
• gh-agent-workflows/dependency-review/README.md
• gh-agent-workflows/dependency-review/example.yml

---

📝 Walkthrough

Walkthrough

This PR extends the dependency review workflow to support Updatecli alongside existing Dependabot and Renovate integrations. Changes include: adding Updatecli branch detection via startsWith(github.head_ref, 'updatecli') to workflow triggers, updating workflow descriptions and documentation to reference Updatecli, and modifying example configurations. No logic changes to error handling or workflow flow; updates are purely additive documentation and condition extensions.

Possibly related PRs

• Add dependency-review workflow for Dependabot/Renovate PR analysis #429: Introduced the dependency-review workflow with Dependabot and Renovate triggers; this PR extends those same triggers to include Updatecli branch detection.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	PR successfully implements support for Updatecli in gh-aw-dependency-review workflow by adding branch-name detection (startsWith github.head_ref, 'updatecli') to trigger conditions across all relevant files [#532].
Out of Scope Changes check	✅ Passed	All changes are scoped to adding Updatecli support: workflow trigger conditions, documentation updates, and workflow examples. No unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/support-updatecli-dependency-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

@copilot doesnt that workflow have an allowed bots list we also need to put that in?

Good catch! The compiled lock.yml does have an allowed-bot-users input that feeds GH_AW_ALLOWED_BOTS in the membership check step. Since updatecli doesn't have a universal bot username (it varies per repo), I've added a commented with: allowed-bot-users: block to example.yml and the trigger file so users know to set it, and updated the README's inputs table to explain the requirement. (77ba3f0)

[github-actions]

[HIGH] Updatecli trigger can fail authorization in called workflow

This adds startsWith(github.head_ref, 'updatecli'), but this caller still invokes gh-aw-dependency-review.lock.yml without passing allowed-bot-users, while the called workflow allowlist is $\{\{ inputs.allowed-bot-users }},dependabot[bot],renovate[bot] and defaults allowed-bot-users to github-actions[bot]. For repo-installed Updatecli bots (commonly custom bot usernames), the workflow will trigger here but then fail activation/membership checks and skip dependency analysis.

Please pass the PR bot login through with.allowed-bot-users (or explicitly include Updatecli bot identities) in this workflow call so the new trigger path is actually executable.