Add auto-approver for testbot-respond environment

[jiaenren]

Description

Auto-approves the testbot-respond environment deployment when the triggering actor is an NVIDIA/osmo-dev team member or a trusted bot. Runs from main via workflow_run, so PR authors cannot tamper with the approval logic.

• Trusted bots (svc-osmo-ci, github-actions[bot], coderabbitai[bot]) are auto-approved so their runs complete quickly — respond.py finds no /testbot threads and exits. This prevents bot-triggered runs from blocking the concurrency group
• Non-team-member actors are blocked — their runs stay pending and time out

Issue #760

Manual setup required after merge

• Add svc-osmo-ci as required reviewer on the testbot-respond environment (the API strictly requires the PAT owner to be a listed reviewer)
• Verify SVC_OSMO_CI_TOKEN PAT scopes include read:org + repo

Test plan

• Merge to main (workflow_run only fires from default branch)
• On a PR with ai-generated label, post /testbot as osmo-dev member → auto-approved within seconds
• Post /testbot as non-member → stays pending, never approved
• Bot reply on a PR → auto-approved as trusted bot → respond.py exits with no actionable threads

Checklist

• I am familiar with the Contributing Guidelines.
• New or existing tests cover these changes.
• The documentation is up to date with these changes.

Summary by CodeRabbit

• Chores
  • Added an automated workflow that auto-approves pending deployments for the designated review environment, speeding deployment progress for trusted actors.
  • Confirms the triggering actor is authorized (trusted bot or org team member), waits for pending deployments to appear, and approves matching deployments with contextual comments.
  • Logs outcomes and surfaces guidance when approvals cannot be completed.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow that auto-approves pending deployments for the testbot-respond environment by validating the triggering actor (trusted-bot list or osmo-dev team membership), polling for pending deployments, and calling the Actions API to approve matching deployments.

Changes

Cohort / File(s)

Summary

GitHub Actions Workflow .github/workflows/testbot-respond-approve.yaml

Adds a workflow triggered on workflow_run for “Testbot - Respond to Reviews”. The job runs actions/github-script using secrets.SVC_OSMO_CI_TOKEN, verifies workflow run status, checks the triggering actor against a hardcoded trusted-bot list or osmo-dev team membership, polls getPendingDeploymentsForRun with backoff and jitter, filters deployments where environment.name === 'testbot-respond', and calls reviewPendingDeploymentsForRun with state: approved and a contextual comment. Logs and exits on no matches; fails with guidance if the approval call errors.

Sequence Diagram(s)

sequenceDiagram
    participant TriggeringWorkflow as Triggering Workflow
    participant ApproverWorkflow as Approve Workflow
    participant Script as github-script
    participant ActionsAPI as GitHub Actions API
    participant TeamsAPI as GitHub Teams API

    TriggeringWorkflow->>ApproverWorkflow: workflow_run (requested)
    ApproverWorkflow->>Script: execute with SVC_OSMO_CI_TOKEN
    Script->>ActionsAPI: getWorkflowRun(run_id)
    alt run already completed
        ActionsAPI-->>Script: status=completed
        Script-->>ApproverWorkflow: exit
    else
        Script->>ActionsAPI: getPendingDeploymentsForRun(run_id) [poll with backoff + jitter]
        alt actor not in trusted list
            Script->>TeamsAPI: getMembershipForUserInOrg(actor, org=osmo)
            TeamsAPI-->>Script: membership / 404 / error
        else actor trusted
            Note right of Script: skip team check
        end
        alt pending deployments found for environment 'testbot-respond'
            Script->>ActionsAPI: reviewPendingDeploymentsForRun(state=approved, env_ids, comment)
            ActionsAPI-->>Script: approval result
        else none found
            Script-->>ApproverWorkflow: log and exit
        end
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I hopped through YAML fields with cheer,

I checked the bots and peered for peers,
I waited, jittered, then gave a nod,
Approvals skipped across the sod,
Now CI dreams of carrot beer 🍃🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add auto-approver for testbot-respond environment' directly and clearly describes the main change—a new GitHub Actions workflow that auto-approves deployments for the testbot-respond environment.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jiaenr/testbot-auto-approve

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/testbot-respond-approve.yaml:
- Around line 109-114: The workflow currently treats zero pending deployments as
an error by calling core.setFailed when deployments.length === 0; change this to
a non-failing path: replace the core.setFailed invocation with a benign log
(e.g., core.info or core.warning) that includes the run.id and a short reason
(e.g., "no pending deployments — run may be cancelled/already approved/queued"),
then return; this prevents false negatives for legitimate workflow_run.requested
cases while preserving the early exit when no deployments are found.
- Around line 73-85: The catch currently treats all errors from
github.rest.teams.getMembershipForUserInOrg as "not a member"; change the error
handling in the isTrustedBot branch so you only treat err.status === 404 as a
non-member (call core.info and return), and for any other status (e.g., 403,
429, 500) call core.setFailed with the error details (include actor and
err.status) so the failure is surfaced and then rethrow or return to stop
further processing; update references in this block (isTrustedBot,
github.rest.teams.getMembershipForUserInOrg, actor, core.info, core.setFailed)
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: eddcd036-fd53-405a-8d55-2306b6a1d78b

📥 Commits

Reviewing files that changed from the base of the PR and between c629a87 and fcba7b3.

📒 Files selected for processing (1)

• .github/workflows/testbot-respond-approve.yaml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.67%. Comparing base (c629a87) to head (e2cdc56).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #835      +/-   ##
==========================================
+ Coverage   42.49%   42.67%   +0.18%     
==========================================
  Files         203      203              
  Lines       27121    27121              
  Branches     7759     7759              
==========================================
+ Hits        11524    11574      +50     
+ Misses      15486    15434      -52     
- Partials      111      113       +2     

Flag	Coverage Δ
backend	44.90% <ø> (+0.20%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 14 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/testbot-respond-approve.yaml:
- Around line 76-82: The call to github.rest.teams.getMembershipForUserInOrg
(used to auto-approve in this workflow) currently treats any 200 response as
approval; update the catch-branch logic so you examine the response.body.state
(or response.data.state) from getMembershipForUserInOrg and require state ===
'active' before granting approval. If the state is not 'active', treat it as
unauthorized (log a message and do not proceed with approval), and handle cases
where the call throws (keep the existing catch behavior). Ensure the check is
performed immediately after the getMembershipForUserInOrg call and before
logging `${actor} is an NVIDIA/osmo-dev team member`.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bd22af3e-71a1-4006-a42c-213e8d30976f

📥 Commits

Reviewing files that changed from the base of the PR and between 509dda9 and 705e8da.

📒 Files selected for processing (1)

• .github/workflows/testbot-respond-approve.yaml