Skip to content

fix: skip review-app deploy for Dependabot PRs#234

Open
fsargent wants to merge 1 commit into
mainfrom
fix/skip-review-app-for-dependabot
Open

fix: skip review-app deploy for Dependabot PRs#234
fsargent wants to merge 1 commit into
mainfrom
fix/skip-review-app-for-dependabot

Conversation

@fsargent
Copy link
Copy Markdown
Member

@fsargent fsargent commented Jun 4, 2026
edited by sourcery-ai Bot
Loading

Problem

The Dependabot PRs opened by #231 fail the Deploy Review App workflow with:

```
FLY_API_TOKEN:
Error: no access token available. Please login with 'flyctl auth login'
```

Dependabot PRs run against a separate secrets store and cannot read the `FLY_API_TOKEN` Actions secret, so it arrives empty. (Prod `fly.yml` deploys are unaffected — they were never broken; the deploy key never expired.)

Fix

Guard the `review_app` job with `if: github.actor != 'dependabot[bot]'` so Dependabot PRs skip the review-app deploy entirely. This avoids exposing an org-scoped Fly token to the Dependabot CI context (the more secure option vs. adding the token to the Dependabot secrets store).

Dependabot PRs still run the normal Django test workflow; they just don't spin up an ephemeral preview app.

🤖 Generated with Claude Code

Summary by Sourcery

CI:

  • Gate the review_app workflow job on github.actor so Dependabot PRs do not attempt review app deployments.

@fsargent @claude
fix: skip review-app deploy for Dependabot PRs
e3faddf 
Dependabot PRs run with a separate secrets store and cannot read the
FLY_API_TOKEN Actions secret, so the review-app deploy fails with
'no access token available'. Guard the job with
github.actor != 'dependabot[bot]'.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sourcery-ai
Copy link
Copy Markdown
Contributor

sourcery-ai Bot commented Jun 4, 2026
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adds a conditional to the Fly review app GitHub Actions workflow so that the review_app job is skipped for Dependabot PRs, preventing failed deployments due to missing FLY_API_TOKEN in Dependabot’s separate secrets store.

File-Level Changes

Change Details Files
Skip Fly review-app deploy job for Dependabot PRs in the GitHub Actions workflow.
  • Add an if condition on the review_app job to run only when the GitHub actor is not dependabot[bot].
  • Document in a comment that Dependabot uses a separate secrets store and lacks access to FLY_API_TOKEN, explaining why the guard is necessary.
 .github/workflows/fly-review.yml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 4, 2026

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • .github/workflows/fly-review.yml is excluded by !**/*.yml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 300ca99b-1f4e-4545-9be9-2900b2c49a35

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/skip-review-app-for-dependabot

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

sourcery-ai[bot]
sourcery-ai Bot reviewed Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue

Prompt for AI Agents 
Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path=".github/workflows/fly-review.yml" line_range="19-21" />
<code_context>
     runs-on: ubuntu-latest
+    # Dependabot PRs run with a separate secrets store and cannot read
+    # FLY_API_TOKEN, so the review-app deploy fails. Skip them.
+    if: github.actor != 'dependabot[bot]'
     outputs:
       url: ${{ steps.deploy.outputs.url }}
</code_context>
<issue_to_address>
**suggestion:** Consider hardening the Dependabot detection to cover additional Dependabot identities and trigger types.

`github.actor != 'dependabot[bot]'` will miss a few cases:

- Legacy/preview Dependabot uses `dependabot-preview[bot]`.
- On `pull_request` events, `github.actor` may be a human retriggering a Dependabot PR, so checking the actor can be misleading.

For PRs, consider keying off `github.event.pull_request.user.login` and excluding both `dependabot[bot]` and `dependabot-preview[bot]`, e.g.:
```yaml
if: >-
  github.event.pull_request.user.login != 'dependabot[bot]' &&
  github.event.pull_request.user.login != 'dependabot-preview[bot]'
```
(or equivalent logic for your supported events).

```suggestion
    # Dependabot PRs run with a separate secrets store and cannot read
    # FLY_API_TOKEN, so the review-app deploy fails. Skip them.
    # For PRs, key off the PR author; for other events, fall back to the actor.
    if: >-
      (github.event_name == 'pull_request' &&
        github.event.pull_request.user.login != 'dependabot[bot]' &&
        github.event.pull_request.user.login != 'dependabot-preview[bot]') ||
      (github.event_name != 'pull_request' &&
        github.actor != 'dependabot[bot]' &&
        github.actor != 'dependabot-preview[bot]')
```
</issue_to_address>
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread .github/workflows/fly-review.yml
Comment on lines +19 to +21
# Dependabot PRs run with a separate secrets store and cannot read
# FLY_API_TOKEN, so the review-app deploy fails. Skip them.
if: github.actor != 'dependabot[bot]'
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai Bot Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Consider hardening the Dependabot detection to cover additional Dependabot identities and trigger types.

github.actor != 'dependabot[bot]' will miss a few cases:

  • Legacy/preview Dependabot uses dependabot-preview[bot].
  • On pull_request events, github.actor may be a human retriggering a Dependabot PR, so checking the actor can be misleading.

For PRs, consider keying off github.event.pull_request.user.login and excluding both dependabot[bot] and dependabot-preview[bot], e.g.:

if: >-
  github.event.pull_request.user.login != 'dependabot[bot]' &&
  github.event.pull_request.user.login != 'dependabot-preview[bot]'

(or equivalent logic for your supported events).

Suggested change
# Dependabot PRs run with a separate secrets store and cannot read
# FLY_API_TOKEN, so the review-app deploy fails. Skip them.
if: github.actor != 'dependabot[bot]'
# Dependabot PRs run with a separate secrets store and cannot read
# FLY_API_TOKEN, so the review-app deploy fails. Skip them.
# For PRs, key off the PR author; for other events, fall back to the actor.
if: >-
(github.event_name == 'pull_request' &&
github.event.pull_request.user.login != 'dependabot[bot]' &&
github.event.pull_request.user.login != 'dependabot-preview[bot]') ||
(github.event_name != 'pull_request' &&
github.actor != 'dependabot[bot]' &&
github.actor != 'dependabot-preview[bot]')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fsargent