Skip to content

ci: skip flags project board for Dependabot PRs#52

Merged
turnipdabeets merged 1 commit into
mainfrom
ci/skip-flags-board-for-dependabot
Jun 4, 2026
Merged

ci: skip flags project board for Dependabot PRs#52
turnipdabeets merged 1 commit into
mainfrom
ci/skip-flags-board-for-dependabot

Conversation

@turnipdabeets
Copy link
Copy Markdown
Contributor

@turnipdabeets turnipdabeets commented Jun 4, 2026

Problem

The add-to-project-board job generates a GitHub App token as its first, unconditional step:

- name: Generate GitHub App Token
  uses: actions/create-github-app-token@...
  with:
      app-id: ${{ secrets.PROJECT_BOARD_BOT_APP_ID }}
      private-key: ${{ secrets.PROJECT_BOARD_BOT_PRIVATE_KEY }}

Dependabot-triggered workflow runs execute in a restricted secret context — GitHub deliberately withholds normal Actions/org secrets from Dependabot to limit supply-chain blast radius. So those secrets resolve to empty and the step hard-fails on every dependency-bump PR, in every repo that calls this workflow:

Error: The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string.
Token is not set

This has been red on Dependabot PRs since the 2025-09-09 PAT → GitHub App migration.

Fix

Append github.actor != 'dependabot[bot]' to the job condition.

  • Safe: the board only acts when a Feature Flags team member is requested as a reviewer — which never happens on Dependabot bumps. It's project-management automation, not a test/correctness gate, so nothing is lost.
  • Safer than the alternative: exposing PROJECT_BOARD_BOT_APP_ID/PRIVATE_KEY to the Dependabot secret context would also fix it, but would hand an org-write GitHub App key to the untrusted Dependabot context — exactly what GitHub's secret isolation protects against.

This is already being worked around per-repo

Several repos currently carry this exact github.actor != 'dependabot[bot]' guard at the caller level, which is what motivated centralizing it here:

⚠️ Note on propagation

Callers pin this workflow to a commit SHA (@d8b55d05...), so merging this does not auto-fix existing callers — each repo only picks it up when its pin is bumped to the new SHA. After this merges I'll bump the pins on the affected callers (and drop the now-redundant per-repo guards). Repos with live failing Dependabot PRs that still need attention: posthog-cloud-infra (2 open), posthog-ios, posthog-js.

🤖 Generated with Claude Code

@turnipdabeets @claude
ci: skip flags project board for Dependabot PRs
b54327a 
The add-to-project-board job generates a GitHub App token as its first
step. Dependabot-triggered runs execute in a restricted secret context
with no access to PROJECT_BOARD_BOT_APP_ID / PROJECT_BOARD_BOT_PRIVATE_KEY,
so create-github-app-token hard-fails with "The 'client-id' (or deprecated
'app-id') input must be set to a non-empty string" on every dependency-bump
PR across every repo that calls this workflow.

Guard the job with `github.actor != 'dependabot[bot]'`. Skipping is safe
(the board only acts when a Flags team member is requested as reviewer,
which never happens on Dependabot bumps) and safer than the alternative of
exposing the org-write App key to the untrusted Dependabot context.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@turnipdabeets turnipdabeets requested a review from a team as a code owner June 4, 2026 18:29
@turnipdabeets turnipdabeets requested a review from a team June 4, 2026 18:29
Piccirello
Piccirello approved these changes Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Piccirello Piccirello left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This conditional just keeps getting uglier 😆

@turnipdabeets turnipdabeets merged commit 69336b5 into main Jun 4, 2026
12 checks passed
@turnipdabeets turnipdabeets deleted the ci/skip-flags-board-for-dependabot branch June 4, 2026 20:01
This was referenced Jun 4, 2026
Merged
Merged
Merged
Merged
turnipdabeets added a commit to PostHog/posthog that referenced this pull request Jun 4, 2026
@turnipdabeets @claude
ci: consolidate Dependabot skip into reusable flags-board workflow
db53e5f 
The Dependabot skip for the feature flags project board is now handled
centrally in the reusable workflow (PostHog/.github#52). Bump the pin to
that merged SHA and drop the redundant inline `github.actor !=
'dependabot[bot]'` guard so the conditional lives in one place.

No behavior change: Dependabot PRs are still skipped (now upstream), and
the pin bump pulls in only that single workflow change.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
turnipdabeets added a commit to PostHog/posthog that referenced this pull request Jun 4, 2026
@turnipdabeets @claude
ci: consolidate Dependabot skip into reusable flags-board workflow
4d00ef5 
The Dependabot skip for the feature flags project board is now handled
centrally in the reusable workflow (PostHog/.github#52). Bump the pin to
that merged SHA and drop the redundant inline `github.actor !=
'dependabot[bot]'` guard so the conditional lives in one place.

No behavior change: Dependabot PRs are still skipped (now upstream), and
the pin bump pulls in only that single workflow change.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
turnipdabeets added a commit to PostHog/posthog-python that referenced this pull request Jun 4, 2026
@turnipdabeets @claude
ci: consolidate Dependabot skip into reusable flags-board workflow
b07c6b7 
The Dependabot skip for the feature flags project board is now handled
centrally in the reusable workflow (PostHog/.github#52). Bump the pin to
that merged SHA and drop the redundant inline `github.actor !=
'dependabot[bot]'` guard so the conditional lives in one place.

No behavior change: Dependabot PRs are still skipped (now upstream), and
the pin bump pulls in only that single workflow change.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
turnipdabeets added a commit to PostHog/posthog-python that referenced this pull request Jun 4, 2026
@turnipdabeets @claude
ci: consolidate Dependabot skip into reusable flags-board workflow (#653
1117c5e 
)

The Dependabot skip for the feature flags project board is now handled
centrally in the reusable workflow (PostHog/.github#52). Bump the pin to
that merged SHA and drop the redundant inline `github.actor !=
'dependabot[bot]'` guard so the conditional lives in one place.

No behavior change: Dependabot PRs are still skipped (now upstream), and
the pin bump pulls in only that single workflow change.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
turnipdabeets added a commit to PostHog/posthog-ios that referenced this pull request Jun 4, 2026
@turnipdabeets @claude
ci: bump flags-board pin to skip Dependabot PRs (#634)
2d28ffb 
Pick up PostHog/.github#52, which skips the feature flags project board
for Dependabot PRs. The board's GitHub App token step hard-fails in
Dependabot's restricted secret context, so this check was red on every
dependency-bump PR until now.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
turnipdabeets added a commit to PostHog/posthog-js that referenced this pull request Jun 4, 2026
@turnipdabeets @claude
ci: bump flags-board pin to skip Dependabot PRs (#3746)
0512007 
Pick up PostHog/.github#52, which skips the feature flags project board
for Dependabot PRs. The board's GitHub App token step hard-fails in
Dependabot's restricted secret context, so this check was red on every
dependency-bump PR until now.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Piccirello Piccirello Piccirello approved these changes

@dustinbyrne dustinbyrne dustinbyrne approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@turnipdabeets @Piccirello @dustinbyrne