Skip to content

docs: document bot-authored PR gates and semantic-pr-title trigger#37

Merged
leonardosul merged 1 commit into
mainfrom
docs/bot-pr-gates
Apr 22, 2026
Merged

docs: document bot-authored PR gates and semantic-pr-title trigger#37
leonardosul merged 1 commit into
mainfrom
docs/bot-pr-gates

Conversation

@leonardosul
Copy link
Copy Markdown
Contributor

@leonardosul leonardosul commented Apr 22, 2026

Summary

  • Document the first-time-contributor approval gate that holds workflow runs on bot-authored PRs (release-please, sometimes Dependabot) with conclusion: action_required until a maintainer clicks Approve and run workflows
  • Document why semantic-pr-title.yml uses pull_request instead of pull_request_target: GitHub silently suppresses pull_request_target for PRs authored by GitHub App installations, which is why every release-please PR in this repo's history accumulated with a missing required check
  • Add a dedicated section walking through the full release-PR lifecycle so the two explicit maintainer actions per release (unlock workflows → bypass merge) are documented as intended behavior, not undocumented friction

Companion PR

Pair with #36, which makes the semantic-pr-title.yml trigger change. This doc PR describes the final state; both should merge together.

What's new in the doc

  • Updated summary table and permission matrix entries for semantic-pr-title.yml
  • Updated sequence diagrams (Human fix PR, Dependabot PR, Release-please PR) to reflect the new trigger
  • New "Why not pull_request_target" bullet in the Semantic PR Title workflow detail
  • New top-level section: "Bot-authored PRs and the first-time-contributor gate" with a subsection on pull_request_target suppression and a step-by-step of what to expect on a release PR

Test plan

  • mkdocs --strict build passes locally (verified)
  • After merge, the docs site at https://nat-zero.machine.dev/workflows/ shows the new section
  • Next release-please PR's workflow behavior matches the documented 7-step lifecycle

🤖 Generated with Claude Code

@leonardosul @claude
docs: document bot-authored PR gates and semantic-pr-title trigger
186273b 
Describe two related behaviors that affect release-please and other
bot-authored PRs:

1. The first-time-contributor approval gate holds workflow runs with
   conclusion action_required until a maintainer clicks "Approve and
   run workflows." This is the intended posture for a public infra
   module — loosening the gate would auto-run workflows on any
   stranger's first PR, which is too permissive.

2. GitHub silently suppresses pull_request_target for PRs authored by
   GitHub App installations. That is why semantic-pr-title.yml was
   switched from pull_request_target to pull_request in the companion
   CI change — the previous trigger meant release PRs accumulated with
   a permanently-missing required check.

Add a dedicated top-level section walking through the full release-PR
lifecycle (unlock workflows → checks run → bypass merge past skipped
go-test and missing non-bot approval) so the two maintainer actions
per release are documented and audited behavior rather than
undocumented friction.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@leonardosul leonardosul merged commit a6a5997 into main Apr 22, 2026
5 checks passed
@leonardosul leonardosul deleted the docs/bot-pr-gates branch April 22, 2026 03:11
@github-actions github-actions Bot mentioned this pull request Apr 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@leonardosul