update cagent-action to latest (with better permissions)#13665
Open
derekmisler wants to merge 3 commits intodocker:mainfrom
Open
update cagent-action to latest (with better permissions)#13665derekmisler wants to merge 3 commits intodocker:mainfrom
derekmisler wants to merge 3 commits intodocker:mainfrom
Conversation
derekmisler
commented
Mar 24, 2026
Comment on lines
-11
to
-15
| # Serialize reviews per PR; do not cancel in-progress runs | ||
| # so no review is silently dropped mid-execution. | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number }} | ||
| cancel-in-progress: false |
Author
There was a problem hiding this comment.
This is already baked into the action.
derekmisler
commented
Mar 24, 2026
Comment on lines
-19
to
-33
| # Only run on the upstream repo (not forks) to prevent credential leaks. | ||
| # Skip draft PRs (ready_for_review will fire when promoted). | ||
| # Skip bot actors to avoid reviewing Dependabot and automation PRs. | ||
| # Require collaborator-level access for comment-triggered events. | ||
| # Only trigger on PR comments, not plain issue comments. | ||
| if: >- | ||
| github.repository == 'docker/compose' && | ||
| (github.event_name != 'pull_request_target' || github.event.pull_request.draft == false) && | ||
| (github.event_name == 'pull_request_target' || | ||
| (github.event_name == 'issue_comment' && | ||
| github.event.issue.pull_request && | ||
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || | ||
| (github.event_name == 'pull_request_review_comment' && | ||
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association))) && | ||
| !endsWith(github.actor, '[bot]') |
Author
There was a problem hiding this comment.
This is also now included in the action.
Signed-off-by: Derek Misler <derek.misler@docker.com>
derekmisler
force-pushed
the
update-cagent-action-to-latest-with-better-permis
branch
from
4417b26 to
4b44171
Compare
There was a problem hiding this comment.
Pull request overview
Updates the PR review automation workflow to use the latest docker/cagent-action reusable workflow and simplifies the workflow logic by relying on the action’s built-in filtering/serialization.
Changes:
- Bump
docker/cagent-actionreusable workflow pin to v1.3.1. - Switch auto-review trigger from
pull_request_targettopull_request, keeping/reviewviaissue_comment. - Add top-level
permissions: contents: readand scope job-level permissions explicitly; remove prior workflow-levelifgating andconcurrency.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Derek Misler <derekmisler@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Derek Misler <derekmisler@gmail.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What I did
Upgrade
docker/cagent-actionfrom v1.2.13 to v1.3.1 and simplify the PR review workflow.Key changes:
dba0ca51…@v1.3.1, which handles filtering logic (draft PRs, bot actors, collaborator checks) internally — removing ~20 lines of hand-rolledifconditions from the workflow.pull_request_targettopull_request— the new action version manages fork PR security itself, sopull_request_targetis no longer needed. Fork PRs can still be reviewed via the/reviewcomment command.permissions: contents: readsoissue_comment-triggered runs can access secrets, and scope remaining permissions to thereviewjob to follow least-privilege.concurrencyblock — the updated action handles review serialization internally.Related issue
Closes: https://github.com/docker/gordon/issues/272
(not mandatory) A picture of a cute animal, if possible in relation to what you did
🤖🐙 (an AI octopus reviewing pull requests)