ci: skip flags project board workflow for Dependabot PRs

[turnipdabeets]

Problem

The call-flags-project / add-to-project-board check fails on every Dependabot PR, and has been doing so since ~2026-05-08. Currently-failing examples:

• chore(deps): bump starlette from 1.0.0 to 1.0.1 in /examples/example-ai-pydantic-ai #649 — chore(deps): bump starlette from 1.0.0 to 1.0.1 in /examples/example-ai-pydantic-ai #649
• chore(deps): bump starlette from 1.0.0 to 1.0.1 in /examples/example-ai-openai-agents #650 — chore(deps): bump starlette from 1.0.0 to 1.0.1 in /examples/example-ai-openai-agents #650
• chore(deps): bump starlette from 1.0.0 to 1.0.1 in /examples/example-ai-semantic-kernel #651 — chore(deps): bump starlette from 1.0.0 to 1.0.1 in /examples/example-ai-semantic-kernel #651

The reusable PostHog/.github flags-project-board workflow generates a GitHub App token as its first, unconditional step:

- name: Generate GitHub App Token
  uses: actions/create-github-app-token@...
  with:
      app-id: ${{ secrets.PROJECT_BOARD_BOT_APP_ID }}
      private-key: ${{ secrets.PROJECT_BOARD_BOT_PRIVATE_KEY }}

Dependabot-triggered workflow runs execute in a restricted secret context (GitHub deliberately withholds normal Actions/org secrets from Dependabot to limit supply-chain blast radius). So those secrets resolve to empty and the step hard-fails:

Error: The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string.
Token is not set

This has been red on every dependency bump since the upstream 2025-09-09 "Migrate from PAT to GitHub App authentication" change.

Fix

Guard the job with github.actor != 'dependabot[bot]'.

• Functionally safe: the board job only does anything when a Feature Flags team member is requested as a reviewer — dependency bumps never are. It's project-management automation, not a test/lint/correctness gate, so no coverage is lost.
• Safer than the alternative: adding PROJECT_BOARD_BOT_APP_ID/PRIVATE_KEY to Dependabot secrets would also fix it, but would hand an org-write GitHub App key to the untrusted Dependabot context — exactly what GitHub's secret isolation protects against.
• No branch-protection limbo: a job-level if reports the check as skipped, which branch protection treats as non-blocking (unlike a workflow-level paths/trigger filter, which can leave a check stuck "waiting for status").

[socket-security]

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

[greptile-apps]

_{Reviews (1): Last reviewed commit: "ci: skip flags project board workflow fo..." | Re-trigger Greptile}

[github-actions]

posthog-python Compliance Report

Date: 2026-06-04 19:59:07 UTC
Duration: 176127ms

✅ All Tests Passed!

45/45 tests passed

---

Capture Tests

✅ 29/29 tests passed

View Details

Test	Status	Duration
Format Validation.Event Has Required Fields	✅	518ms
Format Validation.Event Has Uuid	✅	1507ms
Format Validation.Event Has Lib Properties	✅	1507ms
Format Validation.Distinct Id Is String	✅	1507ms
Format Validation.Token Is Present	✅	1507ms
Format Validation.Custom Properties Preserved	✅	1507ms
Format Validation.Event Has Timestamp	✅	1507ms
Retry Behavior.Retries On 503	✅	9515ms
Retry Behavior.Does Not Retry On 400	✅	3508ms
Retry Behavior.Does Not Retry On 401	✅	3509ms
Retry Behavior.Respects Retry After Header	✅	9514ms
Retry Behavior.Implements Backoff	✅	23519ms
Retry Behavior.Retries On 500	✅	7512ms
Retry Behavior.Retries On 502	✅	7515ms
Retry Behavior.Retries On 504	✅	7513ms
Retry Behavior.Max Retries Respected	✅	23525ms
Deduplication.Generates Unique Uuids	✅	1501ms
Deduplication.Preserves Uuid On Retry	✅	7511ms
Deduplication.Preserves Uuid And Timestamp On Retry	✅	14525ms
Deduplication.Preserves Uuid And Timestamp On Batch Retry	✅	7506ms
Deduplication.No Duplicate Events In Batch	✅	1506ms
Deduplication.Different Events Have Different Uuids	✅	1507ms
Compression.Sends Gzip When Enabled	✅	1508ms
Batch Format.Uses Proper Batch Structure	✅	1507ms
Batch Format.Flush With No Events Sends Nothing	✅	1005ms
Batch Format.Multiple Events Batched Together	✅	1505ms
Error Handling.Does Not Retry On 403	✅	3509ms
Error Handling.Does Not Retry On 413	✅	3510ms
Error Handling.Retries On 408	✅	7514ms

Feature_Flags Tests

✅ 16/16 tests passed

View Details

Test	Status	Duration
Request Payload.Request With Person Properties Device Id	✅	1003ms
Request Payload.Flags Request Uses V2 Query Param	✅	1007ms
Request Payload.Flags Request Hits Flags Path Not Decide	✅	1007ms
Request Payload.Flags Request Omits Authorization Header	✅	1006ms
Request Payload.Token In Flags Body Matches Init	✅	1007ms
Request Payload.Groups Round Trip	✅	1007ms
Request Payload.Groups Default To Empty Object	✅	1006ms
Request Payload.Person Properties Distinct Id Auto Populated When Caller Omits It	✅	1007ms
Request Payload.Disable Geoip False Propagates As Geoip Disable False	✅	1007ms
Request Payload.Disable Geoip Omitted Defaults To False	✅	1007ms
Request Payload.Flag Keys To Evaluate Contains Only Requested Key	✅	1006ms
Request Lifecycle.No Flags Request On Init Alone	✅	503ms
Request Lifecycle.No Flags Request On Normal Capture	✅	1508ms
Request Lifecycle.Two Flag Calls Produce Two Remote Requests	✅	1010ms
Request Lifecycle.Mock Response Value Is Returned To Caller	✅	1003ms
Side Effect Events.Get Feature Flag Captures Feature Flag Called Event	✅	1509ms