fix: add missing review-pr/mention-reply/action.yml#177
Merged
Conversation
The reply-to-mention job in review-pr.yml references docker/cagent-action/review-pr/mention-reply@<sha> but the composite action at review-pr/mention-reply/action.yml was never created. This caused startup_failure on every workflow run that triggered the reply-to-mention job, because GitHub validates all action references before executing any job steps. Create review-pr/mention-reply/action.yml modelled after the existing review-pr/reply/action.yml: - Input: mention-context (replaces thread-context) - No comment-id input (not passed by the caller) - Runs pr-review-mention-reply.yaml agent - Memory cache keyed on mention-reply prefix so it shares the cross-run memory pool without colliding with the reply job's cache Assisted-By: docker-agent
![docker-agent[bot]](https://avatars.githubusercontent.com/in/2787757?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
The new review-pr/mention-reply/action.yml correctly mirrors the existing reply/action.yml sibling:
- ✅ Correct root action SHA (
2369328cd25777eb0a4ff959a399b6d1a5204fc7 # v1.4.4) - ✅ Correct
actions/cache/restore+actions/cache/savepinned SHAs - ✅ Correct
mention-reply-memory cache key prefix (distinct fromreply-) - ✅ Correct input name (
mention-contextvsthread-contextin reply) - ✅
comment-idcorrectly omitted (not passed by the caller workflow) - ✅ Correct agent:
pr-review-mention-reply.yaml - ✅
continue-on-error: truepresent on the agent step - ✅
if: always()present on the save step
The absence of org-membership-token / auth-org inputs is intentional: the workflow always passes skip-auth: "true" because auth was already verified upstream by .github/actions/mention-reply. No bugs found in the changed code.
docker-agent
commented
May 6, 2026
Contributor
Author
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
The new review-pr/mention-reply/action.yml correctly implements the missing composite action that was causing startup_failure in consumer repos. The implementation faithfully follows the established pattern of review-pr/reply/action.yml with appropriate intentional differences:
mention-contextas the primary input (vsthread-contextin reply)- No
org-membership-token/auth-orginputs — correct, since the caller (review-pr.yml) always hardcodesskip-auth: "true"after the upstreammention-replyhandler verifies auth - No
comment-idinput — correct, since the reaction step is handled directly in the calling workflow usingsteps.run-reply.outcome - Memory cache key uses
mention-reply-prefix (separate fromreply-) with shared fallbackpr-review-memory-${{ github.repository }}-for cross-action memory sharing — correct - Inner
docker/cagent-action@2369328...SHA and allactions/cacheSHAs match the reference action exactly - Agent path
${{ env.ACTION_PATH }}/../agents/pr-review-mention-reply.yamlcorrectly resolves toreview-pr/agents/pr-review-mention-reply.yamlwhich exists - Step ID
run-mention-replyis consistently referenced inoutputs.agent-outcome,if: always()condition on the save step
No bugs, security issues, or deviations from established patterns found.
docker-agent
force-pushed
the
fix/mention-reply-action
branch
from
0b839d4 to
4f67135
Compare
The 'Create check run' and 'Update check run' steps used:
github-token: ${{ env.GITHUB_APP_TOKEN || github.token }}
GITHUB_APP_TOKEN is a PAT fetched from AWS Secrets Manager. The GitHub
Checks API (POST /repos/.../check-runs) rejects PATs with HTTP 403:
'You must authenticate via a GitHub App.'
github.token IS a GitHub App token (the Actions app) and works with the
Checks API. Switch both steps to use github.token directly.
The review job's permissions block was also missing checks: write, which
meant github.token had no permission to create/update check runs even
when used. Add it alongside the existing job-level permissions.
Two-line change in the permissions block, two token references updated.
Assisted-By: docker-agent
The 'Check if reply is to agent comment' step identified bot comments by checking user.type == 'Bot'. docker-agent is a machine user created before the GitHub Bot account type existed; its user.type is 'User', so the check rejected all replies to its review comments. Extract parent_user_login alongside parent_user_type and widen the condition to also pass when login == 'docker-agent': if ([ "$parent_user_type" = "Bot" ] || [ "$parent_user_login" = "docker-agent" ]) && ... The <!-- cagent-review --> marker check that follows already provides content-based verification, so the login check is defence-in-depth rather than the sole gate. Assisted-By: docker-agent
docker-agent
force-pushed
the
fix/mention-reply-action
branch
2 times, most recently
from
5cbae10 to
1f10da2
Compare
docker-agent is a machine user with user.type='User', not 'Bot'. All Bot-type guards were either dead code or actively wrong. Changes by category: Cascade-prevention guards removed (org membership check is sufficient): - review job if: removed sender.type!='Bot' from both pull_request arms - Check for /review command: removed COMMENT_TYPE env var and the 'if Bot and not docker-agent → skip' block - reply-to-mention job if: removed user.type!='Bot' filter Bot auto-allow bypass removed (no Bot-type actors in this codebase): - Check membership: removed COMMENT_AUTHOR_TYPE env var and the 'if (userType === Bot) → auto-allow' early-return in the JS script Bot-as-agent identification replaced with login check: - reply-to-feedback: removed comment-author-type output (unused after bot-guard removal), removed entire 'Check bot guard' step and its steps.bot-guard.outputs.is_bot guards on downstream steps - Reply context builder: replaced user_type='Bot' label with author='docker-agent' to identify agent's own prior replies Structural validation updated: - jq -e '.user.type and .body' → '.user.login and .body' (we now rely on .user.login, not .user.type) Assisted-By: docker-agent
docker-agent
force-pushed
the
fix/mention-reply-action
branch
from
1f10da2 to
fbbd8c5
Compare
Contributor
|
/review |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
When docker-agent posts a reply to a review thread it uses in_reply_to_id pointing to the root comment. In GitHub's threading model every reply in a thread shares the same in_reply_to_id (the root comment ID). So docker-agent's own reply fires a new pull_request_review_comment event → reply-to-feedback fires again → fetches the root comment → parent_user_login='docker-agent' ✓ → cagent-review marker present ✓ → is_agent=true → loops forever. Fix: add github.event.comment.user.login != 'docker-agent' to the direct-event branch of reply-to-feedback's if: condition. The trigger path (workflow_run via artifact) needed the same guard but the author login wasn't available as a job output. Fix: - Add comment-author to resolve-context's outputs block - Extract it alongside comment-json in the Read context step (jq -r '.user.login' from the saved comment.json artifact) - Add needs.resolve-context.outputs.comment-author != 'docker-agent' to the trigger branch of reply-to-feedback's if: condition Both loop vectors are now closed at the job level before any steps run. Assisted-By: docker-agent
docker-agent
force-pushed
the
fix/mention-reply-action
branch
from
d5d0fea to
2eba170
Compare
derekmisler
approved these changes
May 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Fix 1: Add missing
review-pr/mention-reply/action.ymlThe
reply-to-mentionjob inreview-pr.ymlreferences:But the composite action at
review-pr/mention-reply/action.ymlwas never created. This would cause a runtime failure on any@docker-agentmention.New file follows
review-pr/reply/action.ymlexactly, with:mention-contextinput instead ofthread-contextcomment-idinput (caller doesn't pass it)pr-review-mention-reply.yamlagentmention-reply-prefixFix 2: Remove spurious
actions: readfromreview-pr.yml(root cause of startup_failure)review-pr.ymldeclaredactions: readat both the workflow level and thereply-to-feedbackjob level. This causedstartup_failurein any caller that didn't explicitly grantactions: readto their GITHUB_TOKEN (e.g.docker/gordon):Why it's safe to remove: Both
actions/download-artifactsteps that perform cross-run downloads already passgithub-token: ${{ env.GITHUB_APP_TOKEN }}explicitly. GITHUB_TOKEN is never used for artifact downloads. GITHUB_APP_TOKEN (fetched via OIDC/AWS Secrets Manager bysetup-credentials) independently carries the necessary scope — no declaration on GITHUB_TOKEN is needed.Removing it eliminates the permission requirement for callers without breaking any functionality.
Validation
pnpm lint(biome CI +tsc --noEmit+actionlint) passes with no errors.