From b54327aa4136c48c75f9cdcf8daafcfb60986033 Mon Sep 17 00:00:00 2001 From: Anna Garcia Date: Thu, 4 Jun 2026 14:28:42 -0400 Subject: [PATCH] ci: skip flags project board for Dependabot PRs The add-to-project-board job generates a GitHub App token as its first step. Dependabot-triggered runs execute in a restricted secret context with no access to PROJECT_BOARD_BOT_APP_ID / PROJECT_BOARD_BOT_PRIVATE_KEY, so create-github-app-token hard-fails with "The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string" on every dependency-bump PR across every repo that calls this workflow. Guard the job with `github.actor != 'dependabot[bot]'`. Skipping is safe (the board only acts when a Flags team member is requested as reviewer, which never happens on Dependabot bumps) and safer than the alternative of exposing the org-write App key to the untrusted Dependabot context. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/flags-project-board.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/flags-project-board.yml b/.github/workflows/flags-project-board.yml index 1518ba3..412a697 100644 --- a/.github/workflows/flags-project-board.yml +++ b/.github/workflows/flags-project-board.yml @@ -62,7 +62,11 @@ jobs: # the github.event_name is supposed to be `workflow_call`, but because this workflow lives in the special `.github` repository, # it preserves the original event name (e.g. pull_request). # This is a not well-documented special case. - if: (github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' || github.event_name == 'pull_request_review') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) + # Dependabot-triggered runs execute in a restricted secret context with no + # access to PROJECT_BOARD_BOT_APP_ID / PRIVATE_KEY, so the token step below + # hard-fails ("'app-id' must be a non-empty string") on every dependency-bump + # PR. Skip them — dependency bumps don't belong on the feature flags board. + if: (github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' || github.event_name == 'pull_request_review') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]' steps: - name: Generate GitHub App Token id: app-token