From 6bac32b1c7d4ad5a6067f3b1f61f427d7d2632a5 Mon Sep 17 00:00:00 2001
From: Anna Garcia <anna.g@posthog.com>
Date: Thu, 4 Jun 2026 14:18:41 -0400
Subject: [PATCH 1/2] ci: skip flags project board workflow for Dependabot PRs

The reusable PostHog/.github flags-project-board workflow generates a
GitHub App token as its first step. Dependabot-triggered runs execute in
a restricted secret context that has no access to the App credentials, so
that step hard-fails with "The 'client-id' (or deprecated 'app-id') input
must be set to a non-empty string" on every dependency-bump PR (failing
since the 2025-09-09 PAT -> GitHub App migration upstream).

Guard the job with github.actor != 'dependabot[bot]'. A job-level if
reports as skipped, which branch protection treats as non-blocking, so it
won't leave a "waiting for status" check. Adding the App secret to the
Dependabot context would also work but would hand an org-write key to the
untrusted Dependabot context, so the skip is the safer fix.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/call-flags-project-board.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/call-flags-project-board.yml b/.github/workflows/call-flags-project-board.yml
index 0e74e28c..b1a5780d 100644
--- a/.github/workflows/call-flags-project-board.yml
+++ b/.github/workflows/call-flags-project-board.yml
@@ -9,6 +9,11 @@ on:
 
 jobs:
     call-flags-project:
+        # Dependabot-triggered runs execute in a restricted secret context without
+        # access to the GitHub App credentials this workflow needs, so the reusable
+        # workflow's token step always hard-fails. Skip it for Dependabot — dependency
+        # bumps don't belong on the feature flags board anyway.
+        if: ${{ github.actor != 'dependabot[bot]' }}
         uses: PostHog/.github/.github/workflows/flags-project-board.yml@d8b55d05dc5150f05c24542a6397ff3ecfbfb56d
         with:
             pr_number: ${{ github.event.pull_request.number }}

From dc6f8acb48988cb13ee0ef45c8d49793976846ab Mon Sep 17 00:00:00 2001
From: Anna Garcia <11654201+turnipdabeets@users.noreply.github.com>
Date: Thu, 4 Jun 2026 15:55:41 -0400
Subject: [PATCH 2/2] Update .github/workflows/call-flags-project-board.yml

Co-authored-by: Dustin Byrne <dustin@posthog.com>
---
 .github/workflows/call-flags-project-board.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/call-flags-project-board.yml b/.github/workflows/call-flags-project-board.yml
index b1a5780d..a032ba7b 100644
--- a/.github/workflows/call-flags-project-board.yml
+++ b/.github/workflows/call-flags-project-board.yml
@@ -9,10 +9,6 @@ on:
 
 jobs:
     call-flags-project:
-        # Dependabot-triggered runs execute in a restricted secret context without
-        # access to the GitHub App credentials this workflow needs, so the reusable
-        # workflow's token step always hard-fails. Skip it for Dependabot — dependency
-        # bumps don't belong on the feature flags board anyway.
         if: ${{ github.actor != 'dependabot[bot]' }}
         uses: PostHog/.github/.github/workflows/flags-project-board.yml@d8b55d05dc5150f05c24542a6397ff3ecfbfb56d
         with: