Summary
Dependabot PRs are not consistently getting the build-and-test workflow/status, even when they modify .github/actions/core and should be validated the same way as normal PRs.
Concrete example
PR #44 (#44) did not get the build-and-test status check. The visible checks were:
- Analyze (actions)
- CodeQL
- license/cla
But the Build & Test workflow did not appear to run.
Likely cause
The current workflow is triggered on pull_request, but the first job is designed to write back to the PR branch:
- requests
contents: write and pull-requests: write
- auto-commits built
dist/ artifacts for same-repo PRs
That works for normal same-repo PRs, but Dependabot PRs are handled more restrictively by GitHub. A workflow that assumes branch write-back is a poor fit for bot-authored PRs.
Relevant workflow behavior
In .github/workflows/build-and-test.yml:
- same-repo PRs try to auto-commit build artifacts back to the branch
- forked PRs instead fail if
dist/ is dirty
Dependabot PRs likely need to be treated more like forked PRs here:
- run tests
- build
- verify
dist/
- do not try to auto-push changes back to the PR branch
Suggested fix
Adjust the workflow conditions so Dependabot PRs do not go down the auto-commit path.
For example, only allow auto-commit when the PR is same-repo and the actor is not Dependabot, and use the “fail if dist is dirty” behavior otherwise.
Goal
Dependabot PRs that touch the action code should receive the same functional validation (build-and-test) as ordinary PRs, without relying on branch write-back behavior that may be blocked or skipped for bot PRs.
Summary
Dependabot PRs are not consistently getting the
build-and-testworkflow/status, even when they modify.github/actions/coreand should be validated the same way as normal PRs.Concrete example
PR #44 (#44) did not get the
build-and-teststatus check. The visible checks were:But the
Build & Testworkflow did not appear to run.Likely cause
The current workflow is triggered on
pull_request, but the first job is designed to write back to the PR branch:contents: writeandpull-requests: writedist/artifacts for same-repo PRsThat works for normal same-repo PRs, but Dependabot PRs are handled more restrictively by GitHub. A workflow that assumes branch write-back is a poor fit for bot-authored PRs.
Relevant workflow behavior
In
.github/workflows/build-and-test.yml:dist/is dirtyDependabot PRs likely need to be treated more like forked PRs here:
dist/Suggested fix
Adjust the workflow conditions so Dependabot PRs do not go down the auto-commit path.
For example, only allow auto-commit when the PR is same-repo and the actor is not Dependabot, and use the “fail if dist is dirty” behavior otherwise.
Goal
Dependabot PRs that touch the action code should receive the same functional validation (
build-and-test) as ordinary PRs, without relying on branch write-back behavior that may be blocked or skipped for bot PRs.