fix: add checkHumanActor to agent mode #826
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes issue #641 where users were getting banned due to rapid successive Claude runs triggered by the synchronize event. Changes: - Add checkHumanActor call to agent mode's prepare() method to reject bot-triggered workflows unless explicitly allowed via allowed_bots - Update checkHumanActor to accept GitHubContext (union type) instead of just ParsedGitHubContext - Add tests for bot rejection/allowance in agent mode Claude-Generated-By: Claude Code (cli/claude-opus-4-5=100%) Claude-Steers: 1 Claude-Permission-Prompts: 3 Claude-Escapes: 0
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| githubToken, | ||
| }: ModeOptions): Promise<ModeResult> { | ||
| // Check if actor is human (prevents bot-triggered loops) | ||
| await checkHumanActor(octokit.rest, context); |
Contributor
There was a problem hiding this comment.
Consider adding a note in docs/custom-automations.md about this bot-checking behavior. Users who have automation workflows triggered by bots (like on synchronize events) will encounter the "non-human actor" error and need guidance on when/how to use allowed_bots.
Suggested section:
### Bot-Triggered Workflows
By default, automation mode rejects bot-triggered workflows to prevent infinite loops (e.g., Claude pushes code → `synchronize` event → Claude runs again). If you need to allow specific bots:
\`\`\`yaml
allowed_bots: "dependabot,renovate" # Specific bots
# OR: allowed_bots: "*" # All bots (use with caution)
\`\`\`
**Warning**: Be careful with `synchronize` events, as this can create loops if your workflow pushes commits.
| githubToken: "test-token", | ||
| }), | ||
| ).resolves.toBeDefined(); | ||
| }); |
Contributor
There was a problem hiding this comment.
Consider adding two additional test cases:
1. GitHub API failure handling:
test("prepare method handles GitHub API failure gracefully", async () => {
const mockOctokit = {
rest: {
users: {
getByUsername: mock(() => Promise.reject(new Error("API Error"))),
},
},
} as any;
await expect(
agentMode.prepare({
context: contextWithPrompts,
octokit: mockOctokit,
githubToken: "test-token",
})
).rejects.toThrow();
});2. The actual bug scenario from issue #641:
test("prepare method prevents bot loop on synchronize/push event", async () => {
const syncContext = createMockAutomationContext({
eventName: "push", // The scenario that triggered issue #641
});
syncContext.actor = "claude-code[bot]";
syncContext.inputs.allowedBots = "";
const mockOctokit = {
rest: {
users: {
getByUsername: mock(() =>
Promise.resolve({
data: { login: "claude-code[bot]", id: 12345, type: "Bot" },
}),
),
},
},
} as any;
await expect(
agentMode.prepare({
context: syncContext,
octokit: mockOctokit,
githubToken: "test-token",
})
).rejects.toThrow("Workflow initiated by non-human actor");
});These tests would validate both error resilience and the specific scenario that caused the original issue.
amorriscode
approved these changes
Jan 15, 2026
hackyon-anthropic
approved these changes
Jan 15, 2026
1 task
theihor
added a commit
to kernel-patches/vmtest
that referenced
this pull request
Jan 19, 2026
Recent change in claude-code-action [1] fixed a bug, where checkHumanActor check was not performed. This broke the AI code review workflows [2], because we unknowingly relied on the bug by not providing "allowed_bots" action parameter. Fix this by specifying allowed bots. [1] anthropics/claude-code-action#826 [2] https://github.com/kernel-patches/bpf/actions/runs/21141584029/job/60796745476 Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
theihor
added a commit
to kernel-patches/vmtest
that referenced
this pull request
Jan 19, 2026
Recent change in claude-code-action [1] fixed a bug, where checkHumanActor check was not performed. This broke the AI code review workflows [2], because we unknowingly relied on the bug by not providing "allowed_bots" action parameter. Fix this by specifying allowed bots. [1] anthropics/claude-code-action#826 [2] https://github.com/kernel-patches/bpf/actions/runs/21141584029/job/60796745476 Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
mergify bot
added a commit
to robfrank/linklift
that referenced
this pull request
Jan 25, 2026
Bumps the github-actions group with 7 updates: | Package | From | To | | --- | --- | --- | | [actions/setup-python](https://github.com/actions/setup-python) | `6.1.0` | `6.2.0` | | [actions/cache](https://github.com/actions/cache) | `5.0.1` | `5.0.2` | | [actions/setup-java](https://github.com/actions/setup-java) | `5.1.0` | `5.2.0` | | [anchore/scan-action](https://github.com/anchore/scan-action) | `7.2.3` | `7.3.0` | | [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) | `1.0.29` | `1.0.31` | | [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `8.0.0` | `8.1.0` | | [ruby/setup-ruby](https://github.com/ruby/setup-ruby) | `1.283.0` | `1.286.0` | Updates `actions/setup-python` from 6.1.0 to 6.2.0 Release notes *Sourced from [actions/setup-python's releases](https://github.com/actions/setup-python/releases).* > v6.2.0 > ------ > > What's Changed > -------------- > > ### Dependency Upgrades > > * Upgrade dependencies to Node 24 compatible versions by [`@salmanmkc`](https://github.com/salmanmkc) in [actions/setup-python#1259](https://redirect.github.com/actions/setup-python/pull/1259) > * Upgrade urllib3 from 2.5.0 to 2.6.3 in `/__tests__/data` by [`@dependabot`](https://github.com/dependabot) in [actions/setup-python#1253](https://redirect.github.com/actions/setup-python/pull/1253) and [actions/setup-python#1264](https://redirect.github.com/actions/setup-python/pull/1264) > > **Full Changelog**: <actions/setup-python@v6...v6.2.0> Commits * [`a309ff8`](actions/setup-python@a309ff8) Bump urllib3 from 2.6.0 to 2.6.3 in /**tests**/data ([#1264](https://redirect.github.com/actions/setup-python/issues/1264)) * [`bfe8cc5`](actions/setup-python@bfe8cc5) Upgrade [`@actions`](https://github.com/actions) dependencies to Node 24 compatible versions ([#1259](https://redirect.github.com/actions/setup-python/issues/1259)) * [`4f41a90`](actions/setup-python@4f41a90) Bump urllib3 from 2.5.0 to 2.6.0 in /**tests**/data ([#1253](https://redirect.github.com/actions/setup-python/issues/1253)) * See full diff in [compare view](actions/setup-python@83679a8...a309ff8) Updates `actions/cache` from 5.0.1 to 5.0.2 Release notes *Sourced from [actions/cache's releases](https://github.com/actions/cache/releases).* > v.5.0.2 > ------- > > v5.0.2 > ====== > > What's Changed > -------------- > > When creating cache entries, 429s returned from the cache service will not be retried. Changelog *Sourced from [actions/cache's changelog](https://github.com/actions/cache/blob/main/RELEASES.md).* > Releases > ======== > > Changelog > --------- > > ### 5.0.2 > > * Bump `@actions/cache` to v5.0.3 [#1692](https://redirect.github.com/actions/cache/pull/1692) > > ### 5.0.1 > > * Update `@azure/storage-blob` to `^12.29.1` via `@actions/cache@5.0.1` [#1685](https://redirect.github.com/actions/cache/pull/1685) > > ### 5.0.0 > > > [!IMPORTANT] > > `actions/cache@v5` runs on the Node.js 24 runtime and requires a minimum Actions Runner version of `2.327.1`. > > If you are using self-hosted runners, ensure they are updated before upgrading. > > ### 4.3.0 > > * Bump `@actions/cache` to [v4.1.0](https://redirect.github.com/actions/toolkit/pull/2132) > > ### 4.2.4 > > * Bump `@actions/cache` to v4.0.5 > > ### 4.2.3 > > * Bump `@actions/cache` to v4.0.3 (obfuscates SAS token in debug logs for cache entries) > > ### 4.2.2 > > * Bump `@actions/cache` to v4.0.2 > > ### 4.2.1 > > * Bump `@actions/cache` to v4.0.1 > > ### 4.2.0 > > TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. [actions/cache](https://github.com/actions/cache) now integrates with the new cache service (v2) APIs. > > The new service will gradually roll out as of **February 1st, 2025**. The legacy service will also be sunset on the same date. Changes in these release are **fully backward compatible**. > > **We are deprecating some versions of this action**. We recommend upgrading to version `v4` or `v3` as soon as possible before **February 1st, 2025.** (Upgrade instructions below). > > If you are using pinned SHAs, please use the SHAs of versions `v4.2.0` or `v3.4.0` > > If you do not upgrade, all workflow runs using any of the deprecated [actions/cache](https://github.com/actions/cache) will fail. ... (truncated) Commits * [`8b402f5`](actions/cache@8b402f5) Merge pull request [#1692](https://redirect.github.com/actions/cache/issues/1692) from GhadimiR/main * [`304ab5a`](actions/cache@304ab5a) license for httpclient * [`609fc19`](actions/cache@609fc19) Update licensed record for cache * [`b22231e`](actions/cache@b22231e) Build * [`93150cd`](actions/cache@93150cd) Add PR link to releases * [`9b8ca9f`](actions/cache@9b8ca9f) Bump actions/cache to 5.0.3 * See full diff in [compare view](actions/cache@9255dc7...8b402f5) Updates `actions/setup-java` from 5.1.0 to 5.2.0 Release notes *Sourced from [actions/setup-java's releases](https://github.com/actions/setup-java/releases).* > v5.2.0 > ------ > > What's Changed > -------------- > > ### Enhancement > > * Retry on HTTP 522 Connection timed out by [`@findepi`](https://github.com/findepi) in [actions/setup-java#964](https://redirect.github.com/actions/setup-java/pull/964) > > ### Documentation Changes > > * Update gradle caching by [`@priya-kinthali`](https://github.com/priya-kinthali) in [actions/setup-java#972](https://redirect.github.com/actions/setup-java/pull/972) > * Update checkout to v6 by [`@mahabaleshwars`](https://github.com/mahabaleshwars) in [actions/setup-java#973](https://redirect.github.com/actions/setup-java/pull/973) > > ### Dependency Updates > > * Upgrade `@actions/cache` to v5 by [`@salmanmkc`](https://github.com/salmanmkc) in [actions/setup-java#968](https://redirect.github.com/actions/setup-java/pull/968) > * Upgrade actions/checkout from 5 to 6 by [`@dependabot`](https://github.com/dependabot) in [actions/setup-java#961](https://redirect.github.com/actions/setup-java/pull/961) > > New Contributors > ---------------- > > * [`@findepi`](https://github.com/findepi) made their first contribution in [actions/setup-java#964](https://redirect.github.com/actions/setup-java/pull/964) > > **Full Changelog**: <actions/setup-java@v5...v5.2.0> Commits * [`be666c2`](actions/setup-java@be666c2) Chore: Version Update and Checkout Update to v6 ([#973](https://redirect.github.com/actions/setup-java/issues/973)) * [`f7a6fef`](actions/setup-java@f7a6fef) Bump actions/checkout from 5 to 6 ([#961](https://redirect.github.com/actions/setup-java/issues/961)) * [`d81c4e4`](actions/setup-java@d81c4e4) Upgrade `@actions/cache` to v5 ([#968](https://redirect.github.com/actions/setup-java/issues/968)) * [`1b1bbe1`](actions/setup-java@1b1bbe1) readme update ([#972](https://redirect.github.com/actions/setup-java/issues/972)) * [`5d7b214`](actions/setup-java@5d7b214) Retry on HTTP 522 Connection timed out ([#964](https://redirect.github.com/actions/setup-java/issues/964)) * See full diff in [compare view](actions/setup-java@f2beeb2...be666c2) Updates `anchore/scan-action` from 7.2.3 to 7.3.0 Release notes *Sourced from [anchore/scan-action's releases](https://github.com/anchore/scan-action/releases).* > v7.3.0 > ------ > > New in scan-action v7.3.0 > ------------------------- > > ⬆️ Dependencies > --------------- > > * chore(deps): bump `@actions/tool-cache` from 2.0.2 to 3.0.0 ([#567](https://redirect.github.com/anchore/scan-action/issues/567)) [[`@dependabot`](https://github.com/dependabot)] > * chore(deps): bump `@actions/cache` from 5.0.1 to 5.0.2 ([#568](https://redirect.github.com/anchore/scan-action/issues/568)) [[`@dependabot`](https://github.com/dependabot)] > * chore(deps): bump `@actions/core` from 2.0.1 to 2.0.2 ([#569](https://redirect.github.com/anchore/scan-action/issues/569)) [[`@dependabot`](https://github.com/dependabot)] > * chore(deps-dev): bump tar from 7.5.2 to 7.5.3 ([#574](https://redirect.github.com/anchore/scan-action/issues/574)) [[`@dependabot`](https://github.com/dependabot)] > * chore(deps): update Grype to v0.105.0 ([#572](https://redirect.github.com/anchore/scan-action/issues/572)) [[`@anchore-actions-token-generator`](https://github.com/anchore-actions-token-generator)[bot]] Commits * [`0d444ed`](anchore/scan-action@0d444ed) chore: update release drafter permissions ([#578](https://redirect.github.com/anchore/scan-action/issues/578)) * [`f9bddf7`](anchore/scan-action@f9bddf7) chore: update release drafter to include appropriate dependencies ([#577](https://redirect.github.com/anchore/scan-action/issues/577)) * [`ffeb136`](anchore/scan-action@ffeb136) chore(deps): bump `@actions/tool-cache` from 2.0.2 to 3.0.0 ([#567](https://redirect.github.com/anchore/scan-action/issues/567)) * [`32bbf28`](anchore/scan-action@32bbf28) chore(deps): bump `@actions/cache` from 5.0.1 to 5.0.2 ([#568](https://redirect.github.com/anchore/scan-action/issues/568)) * [`5f513a1`](anchore/scan-action@5f513a1) chore(deps): bump `@actions/core` from 2.0.1 to 2.0.2 ([#569](https://redirect.github.com/anchore/scan-action/issues/569)) * [`02ce04c`](anchore/scan-action@02ce04c) chore(deps-dev): bump tar from 7.5.2 to 7.5.3 ([#574](https://redirect.github.com/anchore/scan-action/issues/574)) * [`6ac601c`](anchore/scan-action@6ac601c) Chore better zizmor ([#573](https://redirect.github.com/anchore/scan-action/issues/573)) * [`e2f9cdb`](anchore/scan-action@e2f9cdb) chore(deps): update Grype to v0.105.0 ([#572](https://redirect.github.com/anchore/scan-action/issues/572)) * [`cddc16d`](anchore/scan-action@cddc16d) chore(deps): bump actions/setup-node from 6.1.0 to 6.2.0 ([#571](https://redirect.github.com/anchore/scan-action/issues/571)) * See full diff in [compare view](anchore/scan-action@62b74fb...0d444ed) Updates `anthropics/claude-code-action` from 1.0.29 to 1.0.31 Release notes *Sourced from [anthropics/claude-code-action's releases](https://github.com/anthropics/claude-code-action/releases).* > v1.0.31 > ------- > > What's Changed > -------------- > > * fix: ensure SSH signing key has trailing newline by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#834](https://redirect.github.com/anthropics/claude-code-action/pull/834) > * Consolidate CI workflows into a single entry point by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#836](https://redirect.github.com/anthropics/claude-code-action/pull/836) > * chore: bump Bun to 1.3.6 and setup-bun action to v2.1.2 by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#848](https://redirect.github.com/anthropics/claude-code-action/pull/848) > * refactor: remove CLI path, use Agent SDK exclusively by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#849](https://redirect.github.com/anthropics/claude-code-action/pull/849) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.31> > > v1.0.30 > ------- > > What's Changed > -------------- > > * fix: parse ALL --allowed-tools flags, not just the first one by [`@AlexanderBartash`](https://github.com/AlexanderBartash) in [anthropics/claude-code-action#801](https://redirect.github.com/anthropics/claude-code-action/pull/801) > * docs: clarify that Claude does not auto-create PRs by default by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#824](https://redirect.github.com/anthropics/claude-code-action/pull/824) > * fix: add checkHumanActor to agent mode by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#826](https://redirect.github.com/anthropics/claude-code-action/pull/826) > * chore: comment out release-base-action job in release workflow by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#833](https://redirect.github.com/anthropics/claude-code-action/pull/833) > > New Contributors > ---------------- > > * [`@AlexanderBartash`](https://github.com/AlexanderBartash) made their first contribution in [anthropics/claude-code-action#801](https://redirect.github.com/anthropics/claude-code-action/pull/801) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.30> Commits * [`2316a9a`](anthropics/claude-code-action@2316a9a) chore: bump Claude Code to 2.1.15 and Agent SDK to 0.2.15 * [`49cfcf8`](anthropics/claude-code-action@49cfcf8) refactor: remove CLI path, use Agent SDK exclusively ([#849](https://redirect.github.com/anthropics/claude-code-action/issues/849)) * [`e208124`](anthropics/claude-code-action@e208124) chore: bump Bun to 1.3.6 and setup-bun action to v2.1.2 ([#848](https://redirect.github.com/anthropics/claude-code-action/issues/848)) * [`ba60ef7`](anthropics/claude-code-action@ba60ef7) Consolidate CI workflows into a single entry point ([#836](https://redirect.github.com/anthropics/claude-code-action/issues/836)) * [`f3c892c`](anthropics/claude-code-action@f3c892c) chore: bump Claude Code to 2.1.11 and Agent SDK to 0.2.11 * [`6e896a0`](anthropics/claude-code-action@6e896a0) fix: ensure SSH signing key has trailing newline ([#834](https://redirect.github.com/anthropics/claude-code-action/issues/834)) * [`a017b83`](anthropics/claude-code-action@a017b83) chore: comment out release-base-action job in release workflow ([#833](https://redirect.github.com/anthropics/claude-code-action/issues/833)) * [`75f52e5`](anthropics/claude-code-action@75f52e5) chore: bump Claude Code to 2.1.9 and Agent SDK to 0.2.9 * [`1bbc9e7`](anthropics/claude-code-action@1bbc9e7) fix: add checkHumanActor to agent mode ([#826](https://redirect.github.com/anthropics/claude-code-action/issues/826)) * [`625ea15`](anthropics/claude-code-action@625ea15) docs: clarify that Claude does not auto-create PRs by default ([#824](https://redirect.github.com/anthropics/claude-code-action/issues/824)) * Additional commits viewable in [compare view](anthropics/claude-code-action@1b8ee3b...2316a9a) Updates `peter-evans/create-pull-request` from 8.0.0 to 8.1.0 Release notes *Sourced from [peter-evans/create-pull-request's releases](https://github.com/peter-evans/create-pull-request/releases).* > Create Pull Request v8.1.0 > -------------------------- > > What's Changed > -------------- > > * README.md: bump given GitHub actions to their latest versions by [`@deining`](https://github.com/deining) in [peter-evans/create-pull-request#4265](https://redirect.github.com/peter-evans/create-pull-request/pull/4265) > * build(deps): bump the github-actions group with 2 updates by [`@dependabot`](https://github.com/dependabot)[bot] in [peter-evans/create-pull-request#4273](https://redirect.github.com/peter-evans/create-pull-request/pull/4273) > * build(deps-dev): bump the npm group with 2 updates by [`@dependabot`](https://github.com/dependabot)[bot] in [peter-evans/create-pull-request#4274](https://redirect.github.com/peter-evans/create-pull-request/pull/4274) > * build(deps-dev): bump undici from 6.22.0 to 6.23.0 by [`@dependabot`](https://github.com/dependabot)[bot] in [peter-evans/create-pull-request#4284](https://redirect.github.com/peter-evans/create-pull-request/pull/4284) > * Update distribution by [`@actions-bot`](https://github.com/actions-bot) in [peter-evans/create-pull-request#4289](https://redirect.github.com/peter-evans/create-pull-request/pull/4289) > * fix: Handle remote prune failures gracefully on self-hosted runners by [`@peter-evans`](https://github.com/peter-evans) in [peter-evans/create-pull-request#4295](https://redirect.github.com/peter-evans/create-pull-request/pull/4295) > * feat: add `@octokit/plugin-retry` to handle retriable server errors by [`@peter-evans`](https://github.com/peter-evans) in [peter-evans/create-pull-request#4298](https://redirect.github.com/peter-evans/create-pull-request/pull/4298) > > New Contributors > ---------------- > > * [`@deining`](https://github.com/deining) made their first contribution in [peter-evans/create-pull-request#4265](https://redirect.github.com/peter-evans/create-pull-request/pull/4265) > > **Full Changelog**: <peter-evans/create-pull-request@v8.0.0...v8.1.0> Commits * [`c0f553f`](peter-evans/create-pull-request@c0f553f) feat: add `@octokit/plugin-retry` to handle retriable server errors ([#4298](https://redirect.github.com/peter-evans/create-pull-request/issues/4298)) * [`7000124`](peter-evans/create-pull-request@7000124) fix: Handle remote prune failures gracefully ([#4295](https://redirect.github.com/peter-evans/create-pull-request/issues/4295)) * [`34aa40e`](peter-evans/create-pull-request@34aa40e) build: update distribution ([#4289](https://redirect.github.com/peter-evans/create-pull-request/issues/4289)) * [`641099d`](peter-evans/create-pull-request@641099d) build(deps-dev): bump undici from 6.22.0 to 6.23.0 ([#4284](https://redirect.github.com/peter-evans/create-pull-request/issues/4284)) * [`2271f1d`](peter-evans/create-pull-request@2271f1d) build(deps-dev): bump the npm group with 2 updates ([#4274](https://redirect.github.com/peter-evans/create-pull-request/issues/4274)) * [`437c31a`](peter-evans/create-pull-request@437c31a) build(deps): bump the github-actions group with 2 updates ([#4273](https://redirect.github.com/peter-evans/create-pull-request/issues/4273)) * [`0979079`](peter-evans/create-pull-request@0979079) docs: update readme * [`5b751cd`](peter-evans/create-pull-request@5b751cd) README.md: bump given GitHub actions to their latest versions ([#4265](https://redirect.github.com/peter-evans/create-pull-request/issues/4265)) * See full diff in [compare view](peter-evans/create-pull-request@98357b1...c0f553f) Updates `ruby/setup-ruby` from 1.283.0 to 1.286.0 Release notes *Sourced from [ruby/setup-ruby's releases](https://github.com/ruby/setup-ruby/releases).* > v1.286.0 > -------- > > What's Changed > -------------- > > * Add truffleruby-33.0.1,truffleruby+graalvm-33.0.1 by [`@ruby-builder-bot`](https://github.com/ruby-builder-bot) in [ruby/setup-ruby#864](https://redirect.github.com/ruby/setup-ruby/pull/864) > > **Full Changelog**: <ruby/setup-ruby@v1.285.0...v1.286.0> > > v1.285.0 > -------- > > What's Changed > -------------- > > * Convert to String earlier in generate-windows-versions.rb by [`@eregon`](https://github.com/eregon) in [ruby/setup-ruby#862](https://redirect.github.com/ruby/setup-ruby/pull/862) > * Update all dependencies to latest by [`@eregon`](https://github.com/eregon) in [ruby/setup-ruby#863](https://redirect.github.com/ruby/setup-ruby/pull/863) > > **Full Changelog**: <ruby/setup-ruby@v1.284.0...v1.285.0> > > v1.284.0 > -------- > > What's Changed > -------------- > > * Fix compatibility to ruby-3.2 by [`@larskanis`](https://github.com/larskanis) in [ruby/setup-ruby#861](https://redirect.github.com/ruby/setup-ruby/pull/861) > > **Full Changelog**: <ruby/setup-ruby@v1.283.0...v1.284.0> Commits * [`90be115`](ruby/setup-ruby@90be115) Add truffleruby-33.0.1,truffleruby+graalvm-33.0.1 * [`e69dcf3`](ruby/setup-ruby@e69dcf3) Update all dependencies to latest * [`9f55308`](ruby/setup-ruby@9f55308) Convert to String earlier in generate-windows-versions.rb * [`80740b3`](ruby/setup-ruby@80740b3) Add new RubyInstaller releases 4.0.1-1 and 3.2.10-1 * [`5fcbc91`](ruby/setup-ruby@5fcbc91) Fix compatibility to ruby-3.2 * See full diff in [compare view](ruby/setup-ruby@708024e...90be115) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
danielorbach
added a commit
to go-digitaltwin/go-digitaltwin
that referenced
this pull request
Jan 25, 2026
claude-code-action v1.0.30 (released 2026-01-16) added checkHumanActor validation to agent mode via anthropics/claude-code-action#826. This security measure prevents bot-triggered workflows from causing rapid API calls that could result in account bans. The action now requires explicit opt-in via allowed_bots parameter for bot actors like Dependabot. Without this, workflows fail with: "Workflow initiated by non-human actor: dependabot (type: Bot)" The @v1 tag automatically picked up this breaking change, causing the ClauDependabot workflow to fail. Another repo with an identical workflow succeeded on 2025-12-23 because it ran before v1.0.30 was released. See: anthropics/claude-code-action#826 See: anthropics/claude-code-action#387
danielorbach
added a commit
to go-digitaltwin/go-digitaltwin
that referenced
this pull request
Jan 25, 2026
claude-code-action v1.0.30 (released 2026-01-16) added checkHumanActor validation to agent mode via anthropics/claude-code-action#826. This security measure prevents bot-triggered workflows from causing rapid API calls that could result in account bans. The action now requires explicit opt-in via allowed_bots parameter for bot actors like Dependabot. Without this, workflows fail with: "Workflow initiated by non-human actor: dependabot (type: Bot)" The @v1 tag automatically picked up this breaking change, causing the ClauDependabot workflow to fail. Another repo with an identical workflow succeeded on 2025-12-23 because it ran before v1.0.30 was released. See: anthropics/claude-code-action#826 See: anthropics/claude-code-action#387
galactic-king
added a commit
to go-digitaltwin/go-digitaltwin
that referenced
this pull request
Jan 25, 2026
The ClauDependabot workflow stopped functioning when `claude-code-action@v1` automatically updated to v1.0.30 on 2026-01-16. That release introduced bot-actor validation (anthropics/claude-code-action#826) as a security measure to prevent rapid, bot-triggered workflow loops that could exhaust API rate limits and result in account bans. The action now rejects bot actors unless explicitly allowed via the `allowed_bots` parameter. Without this configuration, Dependabot PRs trigger workflows that immediately fail with: "Workflow initiated by non-human actor: dependabot (type: Bot)". This change explicitly permits Dependabot to trigger Claude Code reviews by adding `allowed_bots: dependabot` to both minor and major review steps. The @v1 tag tracks the latest v1.x release, which provides convenience but exposes workflows to behavioral changes in patch releases. After merging, re-run #12 to verify the workflow succeeds with Dependabot as the triggering actor. See: anthropics/claude-code-action#826 See: anthropics/claude-code-action#387
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes issue #641 where users were getting banned due to rapid successive Claude runs triggered by the synchronize event.
Changes: