Exempt Dependabot PRs from the PR gate (#4395)

## What

Adds a trusted-bot exception to the PR gate so Dependabot's PRs are no
longer auto-closed.

## Why

The PR gate (`scripts/pr-gate/`, run by `.github/workflows/pr-gate.yml`)
auto-closes PRs that don't fit the contribution workflow. Dependabot PRs
were getting closed because the bot:

- has no repo permission,
- links no `approved` issue, and
- opens dependency bumps that often exceed the 50-line small-fix cap.

## How

- `config.ts` — new `TRUSTED_BOT_AUTHORS` constant (currently
`["dependabot[bot]"]`), so the allowlist is easy to extend.
- `rules.ts` — new `checkTrustedBot()` rule, wired into `evaluate()`
right after the maintainer bypass and before the repo-access check.
- `tests/PrGateRules.test.ts` — unit tests for the rule plus an
`evaluate()`-level test proving a 5000-line Dependabot PR now passes
instead of closing.
- `README.md` — documented the new rule in the gate-logic ordering.

The match is exact, so a lookalike login (e.g. `not-dependabot[bot]`)
won't slip through. Add more bots (Renovate, etc.) to
`TRUSTED_BOT_AUTHORS` as needed.

## Testing

`npx vitest tests/PrGateRules.test.ts --run` → 39 passed. Lint +
prettier clean.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Evan
2026-06-23 15:45:26 -07:00
committed by GitHub
co-authored by Claude Opus 4.8
parent 1cb84a79df
commit c63bfb6d94
4 changed files with 53 additions and 4 deletions
+31
View File
@@ -4,6 +4,7 @@ import {
checkBypass,
checkRepoAccess,
checkSmallFix,
checkTrustedBot,
evaluate,
parseLinkedIssues,
type IssueMetadata,
@@ -109,6 +110,26 @@ describe("checkBypass", () => {
});
});
describe("checkTrustedBot", () => {
it("passes for dependabot[bot]", () => {
const r = checkTrustedBot(makePR({ user: { login: "dependabot[bot]" } }));
expect(r.action).toBe("pass");
});
it("returns next for a regular author", () => {
expect(checkTrustedBot(makePR({ user: { login: "alice" } })).action).toBe(
"next",
);
});
it("returns next for a lookalike bot author", () => {
expect(
checkTrustedBot(makePR({ user: { login: "not-dependabot[bot]" } }))
.action,
).toBe("next");
});
});
describe("checkRepoAccess", () => {
it("passes for admin, maintain, write permissions", async () => {
for (const permission of ["admin", "maintain", "write"]) {
@@ -273,6 +294,16 @@ describe("evaluate (priority ordering)", () => {
expect(r.action).toBe("pass");
});
it("trusted bot — large Dependabot PR passes without an issue", async () => {
const r = await evaluate(
makePR({ user: { login: "dependabot[bot]" } }),
[{ additions: 5000, deletions: 0 }],
async () => null,
async () => "none",
);
expect(r.action).toBe("pass");
});
it("close — large diff, no qualifying issue", async () => {
const r = await evaluate(
makePR(),