fix(ci): treat renovate bot as trusted for e2e/functional test gates#2789
Conversation
PR Summary by QodoCI: allowlist Renovate bot for e2e/functional test authorization
AI Description
Diagram
High-Level Assessment
Files changed (2)
|
Site previewPreview: https://9d77919c-site.fullsend-ai.workers.dev Commit: |
|
🤖 Review · ❌ Terminated · Started 4:53 PM UTC · Ended 5:00 PM UTC |
Code Review by Qodo
1. Bot trust lacks login fallback
|
| elif is_trusted_bot "${PR_AUTHOR_LOGIN:-}"; then | ||
| authorized=true | ||
| reason="trusted_bot" |
There was a problem hiding this comment.
1. Bot trust lacks login fallback 🐞 Bug ≡ Correctness
The new trusted-bot authorization path only checks PR_AUTHOR_LOGIN, so callers that don’t set this env var cannot recognize trusted bots even when PR data is fetched via the GitHub API. This can incorrectly deny trusted bot PRs in ad-hoc/local invocations or future workflows that omit PR_AUTHOR_LOGIN.
Agent Prompt
### Issue description
`is_trusted_bot` is only evaluated against `PR_AUTHOR_LOGIN`. When `PR_AUTHOR_LOGIN` is unset, the script never derives the author login from the PR API response (even when it already fetches `pr_json`), so trusted bots can be incorrectly treated as unauthorized depending on how the script is invoked.
### Issue Context
- The script documents `PR_AUTHOR_LOGIN` as optional.
- The composite action/workflows currently pass `PR_AUTHOR_LOGIN`, so CI isn’t broken today; this is a robustness/contract mismatch for other invocation paths.
### Fix Focus Areas
- scripts/check-e2e-authorization.sh[60-66]
- scripts/check-e2e-authorization.sh[89-113]
### Suggested implementation
- Introduce a local `author_login` variable.
- Populate it as:
- `author_login="${PR_AUTHOR_LOGIN:-}"`
- If empty and `pr_json` is available (or needs to be fetched for other reasons), set `author_login="$(jq -r '.user.login // empty' <<<"${pr_json}")"`.
- Use `author_login` for both `is_trusted_bot` and `has_write_permission`.
- Optional hardening: have `is_trusted_bot` return false when `login` is empty to avoid any future edge cases if the trusted list ever becomes empty/malformed.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|
🤖 Finished Review · ❌ Failure · Started 4:53 PM UTC · Completed 5:00 PM UTC |
|
🤖 Finished Review · ❌ Failure · Started 5:19 PM UTC · Completed 5:26 PM UTC |
renovate-fullsend[bot] has author_association CONTRIBUTOR, so its PRs skip e2e and functional tests unless someone manually adds ok-to-test. This meant the openshell 0.0.63→0.0.71 upgrade merged without test coverage. Add a TRUSTED_BOT_LOGINS list to the authorization script so recognized bots are authorized without requiring a label or collaborator API fallback. Signed-off-by: Ralph Bean <rbean@redhat.com> Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
b13f51b to
330a31b
Compare
|
🤖 Finished Review · ✅ Success · Started 7:40 PM UTC · Completed 7:50 PM UTC |
ReviewFindingsMedium
|
|
🤖 Finished Retro · ✅ Success · Started 8:10 AM UTC · Completed 8:19 AM UTC |
Retro: PR #2789 — fix(ci): treat renovate bot as trusted for e2e/functional test gatesTimeline
AssessmentReview quality: Good. The review agent's two findings were appropriate — Infrastructure reliability: Poor. Two out of three review runs failed due to transient openshell sandbox crashes (network namespace Rework rate: Zero. Single commit, no fix agent involvement, no code changes requested by review. Existing issue coverageAll identified improvement opportunities are already tracked by open issues:
No new proposals filed — existing issues adequately cover the improvement opportunities identified in this workflow. |
Summary
TRUSTED_BOT_LOGINSlist tocheck-e2e-authorization.shwithrenovate-fullsend[bot]as the first entryauthor_associationisCONTRIBUTOR, which meant its PRs were silently skipping e2e and functional tests unless someone manually addedok-to-testCompanion to #2788 (adds
.github/scripts/to e2e path triggers).Test plan
bash scripts/check-e2e-authorization-test.sh— all passing🤖 Generated with Claude Code