[Beginner]: Bot fails to auto-assign dependabot[bot] on dependabot PRs #1283
Description
🐥 Beginner Friendly
This issue is a great fit for contributors who are ready to explore the Hiero C++ codebase a little more and take on slightly more independent work.
It involves reading existing JavaScript bot code, understanding how username validation works, making a small targeted fix, and extending the test suite to cover the new case.
The goal is to support skill growth while keeping the experience approachable, well-scoped, and enjoyable.
👾 Description of the Issue
The PR bot is supposed to auto-assign the PR author when a PR is opened. For dependabot PRs, this means assigning dependabot[bot]. However, the bot silently skips the assignment and no assignee is ever set.
The root cause is in:
.github/scripts/helpers/validation.js
The isSafeSearchToken function validates usernames using the regex /^[a-zA-Z0-9._/-]+$/.
This character set does not include [ or ]. GitHub bot accounts use the [bot] suffix in their usernames (e.g. dependabot[bot]), so when requireSafeUsername is called with dependabot[bot], it throws and the auto-assign step returns early without doing anything.
Note: the dashboard comment is correctly skipped for bot-authored PRs — that behavior is working as expected and should not be changed.
💡 Proposed Solution
Update the isSafeSearchToken regex in helpers/validation.js to allow [ and ], so that GitHub bot usernames like dependabot[bot] pass validation and can be assigned.
Then add a test case in the existing test file to cover this scenario, following the patterns already used in the test suite.
👩💻 Implementation Steps
- Open
.github/scripts/helpers/validation.js - Review the
isSafeSearchTokenfunction and understand what the regex is allowing - Update the
isSafeSearchTokenregex to also allow[and], which appear in GitHub bot usernames likedependabot[bot] - Open
.github/scripts/tests/test-utils.jsand review the existing test cases - Add test cases that assert:
isSafeSearchToken('dependabot[bot]')returnstrueisSafeSearchTokenstill returnsfalsefor strings with characters outside the allowed set (e.g. spaces,<,>,;)
- Run the existing tests to confirm everything passes
- Sign your commit using
-s -Sand open a pull request
✅ Acceptance Criteria
To help get this change merged smoothly:
- Scope: Changes are limited to
validation.jsandtest-utils.js - Correctness:
isSafeSearchToken('dependabot[bot]')returnstrue - Safety:
isSafeSearchTokenstill returnsfalsefor strings with disallowed characters - Tests: Existing and any new tests pass
- Behavior: No other SDK behavior or API changes
- Review: All code review feedback addressed
📋 Step-by-Step Contribution Guide
To help keep contributions consistent and easy to review, we recommend following these steps:
- Comment
/assignto request the issue - Wait for assignment
- Fork the repository and create a branch
- Set up the project using the instructions in
README.md - Make the requested changes
- Sign each commit using
-s -S - Push your branch and open a pull request
Read Workflow Guide for step-by-step workflow guidance.
Read README.md for setup instructions.
❗ Pull requests cannot be merged without S and s signed commits.
See the Signing Guide.
🤔 Additional Information
- Example dependabot PR where auto-assign is missing: build(deps): Bump shogo82148/actions-setup-perl from 1.37.1 to 1.38.1 #1262
- The bot check that skips the dashboard comment for bot PRs (
user.type === 'Bot'inbot-on-pr-open.js) is working correctly — do not change it - GitHub bot usernames follow the
<name>[bot]pattern; square brackets are standard for all GitHub App bot accounts
If you have questions while working on this issue, feel free to ask!
You can reach the community and maintainers here:
Hiero-SDK-C++ Discord
Whether you need help finding the right file, understanding existing code,
or confirming your approach — we're happy to help.