Add dependabot smoke test reminder comment#3
Draft
ajalon1 wants to merge 1 commit into
Draft
Conversation
Dependabot PRs run with Secret source: Dependabot, which restricts access to repository secrets (including DR_API_TOKEN). This causes smoke tests to silently fail when auto-triggered by the go label. A maintainer must manually add the run-smoke-tests label to get a passing run. This job posts a comment on every dependabot PR so that fact is visible at review time rather than discovered at merge time. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
ajalon1
force-pushed
the
claudy/wizardly-noether-4a8db6
branch
from
c4f2463 to
5c9daba
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
RATIONALE
Dependabot PRs consistently fail their first smoke test run. After investigation, the root cause is GitHub's secret isolation model: any workflow triggered on a dependabot-created PR runs with
Secret source: Dependabot, which means only Dependabot-specific secrets are available. Repository secrets likeDR_API_TOKENare not injected. The smoke tests build fine but fail immediately at authentication.A human maintainer adding the
run-smoke-testslabel upgrades the context toSecret source: Actions(full secrets), which is why the manual-label path works.CHANGES
Adds a
dependabot-reminderjob tochecks.yamlthat fires on any PR wheregithub.actor == 'dependabot[bot]'and posts a comment explaining:run-smoke-testslabel before mergingThe comment appears immediately when the PR opens, so reviewers see it before they start reviewing rather than discovering the constraint at merge time.
NOTES
needs:dependency so it posts as early as possibleGITHUB_TOKEN(comment appears fromgithub-actions[bot])DR_API_TOKENas a Dependabot secret in repo settings, which would allow fully automated smoke tests on these PRs