Summary
The AW Dependabot PR Review agentic workflow (.github/workflows/aw-dependabot-pr-review.md) silently skips on every run and never posts a review. It reports green while doing nothing, so the advisory Dependabot review has effectively been non-functional.
This issue tracks the fix: migrating the trigger from workflow_run to a maintainer-invoked /aw-dependabot-review slash command.
Root cause
The workflow was triggered by workflow_run after PR Validation completed on a dependabot/** branch. Under that posture, the triggering actor is dependabot[bot] (permission none). gh-aw's pre_activation role gate (check_membership) evaluates that actor against GH_AW_REQUIRED_ROLES: "admin,maintainer,write", finds no qualifying role, sets activated=false, and skips all downstream jobs — without failing. The result is a green run that produces no advisory.
A direct fix (adding a bots:/roles: allowlist under on:) was attempted but is blocked by a gh-aw compiler bug: bots:/roles: siblings alongside a workflow_run trigger break workflow_run branch validation. So the workflow_run posture is a dead end.
New approach: maintainer-invoked slash command
Switch the trigger to a slash command that a maintainer runs on demand:
on:
slash_command:
name: aw-dependabot-review
events: [pull_request_comment]A maintainer comments /aw-dependabot-review on a Dependabot PR to request the advisory review.
Why this fixes the root cause: with a slash command, gh-aw's role gate evaluates the commenter (a maintainer with write+), not dependabot[bot]. Activation passes, and the review runs. It also sidesteps the workflow_run compiler bug entirely.
Implementation notes
- Resolver rewrite. The slash command carries no
workflow_run payload, so the resolver step now: reads the PR from context.payload.issue.number, hydrates via pulls.get, skips non-Dependabot/draft PRs (PR_DEPENDABOT_SKIP_REASON), and looks up the latest PR Validation run for the PR head SHA via actions.listWorkflowRunsForRepo to populate PR_VALIDATION_CONCLUSION / PR_VALIDATION_RUN_URL. The env-var contract consumed by the agent persona is unchanged.
- Permissions stay scoped:
contents: read, pull-requests: read, actions: read (for the workflow-run lookup), checks: read.
- Concurrency keys on
github.event.issue.number.
- Compiler. Recompile with the latest gh aw release (currently v0.77.5), which carries fixes we want.
- Dependabot rules.
.github/dependabot.yml already contains the compiler-managed github/gh-aw-actions/* exclude + ignore rule, so no rule change is required. Note: a plain gh aw compile performs a destructive cosmetic reformat of the hand-curated dependabot.yml (strips rationale comments, alphabetizes keys, relocates version: 2) — that reformat must not be committed.
- Agent persona (
.github/agents/dependabot-pr-reviewer.agent.md) is trigger-agnostic and needs no change.
Acceptance criteria
References
Summary
The
AW Dependabot PR Reviewagentic workflow (.github/workflows/aw-dependabot-pr-review.md) silently skips on every run and never posts a review. It reports green while doing nothing, so the advisory Dependabot review has effectively been non-functional.This issue tracks the fix: migrating the trigger from
workflow_runto a maintainer-invoked/aw-dependabot-reviewslash command.Root cause
The workflow was triggered by
workflow_runafterPR Validationcompleted on adependabot/**branch. Under that posture, the triggering actor isdependabot[bot](permissionnone). gh-aw'spre_activationrole gate (check_membership) evaluates that actor againstGH_AW_REQUIRED_ROLES: "admin,maintainer,write", finds no qualifying role, setsactivated=false, and skips all downstream jobs — without failing. The result is a green run that produces no advisory.A direct fix (adding a
bots:/roles:allowlist underon:) was attempted but is blocked by a gh-aw compiler bug:bots:/roles:siblings alongside aworkflow_runtrigger breakworkflow_runbranch validation. So theworkflow_runposture is a dead end.New approach: maintainer-invoked slash command
Switch the trigger to a slash command that a maintainer runs on demand:
A maintainer comments
/aw-dependabot-reviewon a Dependabot PR to request the advisory review.Why this fixes the root cause: with a slash command, gh-aw's role gate evaluates the commenter (a maintainer with
write+), notdependabot[bot]. Activation passes, and the review runs. It also sidesteps theworkflow_runcompiler bug entirely.Implementation notes
workflow_runpayload, so the resolver step now: reads the PR fromcontext.payload.issue.number, hydrates viapulls.get, skips non-Dependabot/draft PRs (PR_DEPENDABOT_SKIP_REASON), and looks up the latestPR Validationrun for the PR head SHA viaactions.listWorkflowRunsForRepoto populatePR_VALIDATION_CONCLUSION/PR_VALIDATION_RUN_URL. The env-var contract consumed by the agent persona is unchanged.contents: read,pull-requests: read,actions: read(for the workflow-run lookup),checks: read.github.event.issue.number..github/dependabot.ymlalready contains the compiler-managedgithub/gh-aw-actions/*exclude + ignore rule, so no rule change is required. Note: a plaingh aw compileperforms a destructive cosmetic reformat of the hand-curateddependabot.yml(strips rationale comments, alphabetizes keys, relocatesversion: 2) — that reformat must not be committed..github/agents/dependabot-pr-reviewer.agent.md) is trigger-agnostic and needs no change.Acceptance criteria
aw-dependabot-pr-review.mduses theslash_commandtrigger namedaw-dependabot-review./aw-dependabot-reviewon a Dependabot PR (as a maintainer) activates the workflow and posts exactly one advisory review.PR_VALIDATION_CONCLUSION/PR_VALIDATION_RUN_URLfrom the head-SHAPR Validationlookup.dependabot.ymlreformat is introduced.References
.github/workflows/aw-dependabot-pr-review.md.github/agents/dependabot-pr-reviewer.agent.md