Skip to content

on.bots matching is exact-string only and fails for <slug> vs <slug>[bot] GitHub App identities #20030

New issue
New issue
Closed
#20059
Closed
on.bots matching is exact-string only and fails for <slug> vs <slug>[bot] GitHub App identities#20030
#20059
Assignees
pelikhancopilot-swe-agent
Labels
bugSomething isn't workingcommunityworkflows
@samuelkahessay

Description

@samuelkahessay
samuelkahessay
opened on Mar 8, 2026

Context

Observed during smoke validation of an App-first autonomous pipeline on 2026-03-08. A PR created by the installed pipeline App did not activate the downstream review workflow until the workflow was changed to use the exact [bot] actor string in bots:.

Related to #18556 — the fix for that issue (#18592) added a compute_text.cjs fallback that also uses exact-match allowedBots.includes(actor), widening the surface area of this normalization gap.

Still reproducible on local gh-aw main at b2d8af754 (v0.53.4).

Problem

gh-aw compares allowed bot identifiers to context.actor using exact string equality and only treats strings ending in [bot] as bots in checkBotStatus().

That fails for GitHub App identities because the same installed App may appear as:

  • <slug>
  • <slug>[bot]

If the workflow author configures bots: [<slug>] but the runtime actor is <slug>[bot], pre-activation skips even though it is the same installed App.

Location

  • actions/setup/js/check_permissions_utils.cjs:23-25
  • actions/setup/js/check_permissions_utils.cjs:34-40
  • actions/setup/js/check_membership.cjs:68-75
  • actions/setup/js/compute_text.cjs:35-41

Reproduction

  1. Configure a workflow with:
on:
  pull_request:
    types: [opened]
  bots:
    - my-pipeline-app
  1. Have a GitHub App create the PR
  2. Let the downstream workflow run on pull_request
  3. If GitHub reports the actor as my-pipeline-app[bot], the workflow skips because allowedBots.includes(actor) compares the raw strings

Expected behavior

on.bots should treat <slug> and <slug>[bot] as the same App identity.

Proposed fix

Introduce a shared canonicalizer for bot/App identifiers and use it everywhere bot authorization is checked:

If maintainers also want to support additional App-specific actor forms such as app/<slug>, that can be folded into the same normalizer, but the verified bug here is the <slug> vs <slug>[bot] mismatch.

Environment

  • Observed in production-style smoke validation: v0.52.1-generated workflows
  • Still present on: local main at b2d8af754 (v0.53.4)

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingcommunityworkflows

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions