From cea1ba96bcc42ecbb094397fe2b25b9236bc3780 Mon Sep 17 00:00:00 2001
From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com>
Date: Wed, 15 Apr 2026 23:26:05 +0000
Subject: [PATCH] fix(ci): move dependabot exclusion to job-level if in
 claude-code-reusable.yml

The claude job was reporting as failed on Dependabot PRs because the
dependabot[bot] check was at the step level, causing the job to start
but all steps to be skipped. GitHub marks such jobs as failed rather
than skipped.

Move the exclusion to the job-level if condition so the entire job is
properly skipped. Also remove the now-redundant step-level if, and
update AGENTS.md to describe the corrected behavior.

Closes #135

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
---
 .github/workflows/claude-code-reusable.yml | 4 ++--
 AGENTS.md                                  | 7 ++++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/claude-code-reusable.yml b/.github/workflows/claude-code-reusable.yml
index 11d09ff..f5c6d34 100644
--- a/.github/workflows/claude-code-reusable.yml
+++ b/.github/workflows/claude-code-reusable.yml
@@ -18,7 +18,8 @@ jobs:
   claude:
     if: >-
       (github.event_name == 'pull_request' &&
-        github.event.pull_request.head.repo.full_name == github.repository) ||
+        github.event.pull_request.head.repo.full_name == github.repository &&
+        github.event.pull_request.user.login != 'dependabot[bot]') ||
       (github.event_name == 'issue_comment' && github.event.issue.pull_request &&
         github.event.comment.user.login != 'claude[bot]' &&
         contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
@@ -41,7 +42,6 @@ jobs:
           fetch-depth: 1
           token: ${{ secrets.GH_PAT_WORKFLOWS || github.token }}
       - name: Run Claude Code
-        if: github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]'
         uses: anthropics/claude-code-action@6e2bd52842c65e914eba5c8badd17560bd26b5de # v1.0.89
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
diff --git a/AGENTS.md b/AGENTS.md
index ea6a1ef..2286914 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -511,13 +511,14 @@ The `dependabot-automerge.yml` workflow handles automatic merging of Dependabot
 | **Eligible updates** | Patch, minor, and indirect dependency bumps |
 | **Major version bumps** | Require manual review and approval |
 | **Merge strategy** | `gh pr merge --squash --auto` (queues merge until all checks pass) |
-| **AI reviewers** | Claude Code is skipped on Dependabot PRs (step-level `if`); Copilot/CodeRabbit threads are auto-resolved by the workflow |
+| **AI reviewers** | Claude Code job is skipped on Dependabot PRs (job-level `if`); Copilot/CodeRabbit threads are auto-resolved by the workflow |
 | **Approval** | GitHub App token provides the required approving review |
 
 #### Claude Code Workflow on Dependabot PRs
 
-The `claude.yml` workflow skips the Claude Code action step for Dependabot PRs (`github.event.pull_request.user.login != 'dependabot[bot]'`).
-The job still runs and reports SUCCESS to satisfy required status checks, but the Claude action step is skipped since:
+The `claude-code-reusable.yml` workflow skips the entire `claude` job for Dependabot PRs
+via a job-level `if` condition (`github.event.pull_request.user.login != 'dependabot[bot]'`).
+The job shows as **skipped** (not failed) in GitHub, which satisfies required status checks. The job is skipped because:
 
 - `CLAUDE_CODE_OAUTH_TOKEN` is an Actions secret, not a Dependabot secret
 - AI code review on automated version bumps adds cost without value