From 540d1e34ab9470166861238b70f96310e661839a Mon Sep 17 00:00:00 2001
From: Bernardo Donadio <bcdonadio@bcdonadio.com>
Date: Sun, 2 Nov 2025 08:59:20 -0300
Subject: [PATCH 1/4] fix(ci): skip codecov and claude-review for Dependabot
 PRs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes CI failures on Dependabot PRs #3 and #4 caused by missing secrets.

GitHub restricts access to secrets in Dependabot PRs for security reasons.
This change:

- Skips codecov upload and test reporter steps for Dependabot PRs
- Skips the entire Claude Code Review workflow for Dependabot PRs
- Tests still run and must pass for Dependabot PRs

This allows automated dependency updates to pass CI while maintaining
security and test coverage requirements.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/ci.yml                 | 4 ++--
 .github/workflows/claude-code-review.yml | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f288647..6ff2e53 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -212,7 +212,7 @@ jobs:
 
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
-        if: always()
+        if: always() && github.actor != 'dependabot[bot]'
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: ./coverage.xml,./junit.xml
@@ -223,7 +223,7 @@ jobs:
 
       - name: Publish test results
         uses: dorny/test-reporter@d61b558e8df85cb60d09ca3e5b09653b4477cea7 # v1
-        if: always()
+        if: always() && github.actor != 'dependabot[bot]'
         with:
           name: Test Results
           path: junit.xml
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 205b0fe..23f0a6d 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -12,6 +12,8 @@ on:
 
 jobs:
   claude-review:
+    # Skip for Dependabot PRs as they don't have access to secrets
+    if: github.actor != 'dependabot[bot]'
     # Optional: Filter by PR author
     # if: |
     #   github.event.pull_request.user.login == 'external-contributor' ||
@@ -54,4 +56,3 @@ jobs:
           # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
           # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
           claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
-

From de3db71728da51f61497d78e21ea40f84b6a769f Mon Sep 17 00:00:00 2001
From: Bernardo Donadio <bcdonadio@bcdonadio.com>
Date: Sun, 2 Nov 2025 09:05:01 -0300
Subject: [PATCH 2/4] fix: make Claude Code Review non-blocking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Claude Code Review workflow fails when:
1. The workflow file itself is modified (security validation)
2. Required secrets are unavailable

Adding `continue-on-error: true` makes this check advisory rather than
required, preventing it from blocking valid PRs.

This complements the Dependabot skip condition added earlier.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/claude-code-review.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 23f0a6d..5b85ef0 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -20,6 +20,9 @@ jobs:
     #   github.event.pull_request.user.login == 'new-developer' ||
     #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
 
+    # Don't block PR merges if this job fails (e.g., when workflow file is modified or secrets are unavailable)
+    continue-on-error: true
+
     runs-on: ubuntu-latest
     permissions:
       contents: read

From 070a001177f4f72dc67f00809f30ec0d03d0b24f Mon Sep 17 00:00:00 2001
From: Bernardo Donadio <bcdonadio@bcdonadio.com>
Date: Sun, 2 Nov 2025 09:06:51 -0300
Subject: [PATCH 3/4] fix: skip Claude review when workflow files are modified
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Using paths-ignore prevents the workflow from running on PRs that modify
workflow files, avoiding GitHub's security validation errors.

This is cleaner than continue-on-error as the check won't run at all
when it would fail validation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/claude-code-review.yml | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 5b85ef0..611f02d 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -3,12 +3,9 @@ name: Claude Code Review
 on:
   pull_request:
     types: [opened, synchronize]
-    # Optional: Only run on specific file changes
-    # paths:
-    #   - "src/**/*.ts"
-    #   - "src/**/*.tsx"
-    #   - "src/**/*.js"
-    #   - "src/**/*.jsx"
+    # Don't run when workflow files are modified (causes validation errors)
+    paths-ignore:
+      - '.github/workflows/**'
 
 jobs:
   claude-review:
@@ -20,9 +17,6 @@ jobs:
     #   github.event.pull_request.user.login == 'new-developer' ||
     #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
 
-    # Don't block PR merges if this job fails (e.g., when workflow file is modified or secrets are unavailable)
-    continue-on-error: true
-
     runs-on: ubuntu-latest
     permissions:
       contents: read

From 7fae3c3fe978c679670ae84d9764bc6e9f0b0c51 Mon Sep 17 00:00:00 2001
From: Bernardo Donadio <bcdonadio@bcdonadio.com>
Date: Sun, 2 Nov 2025 09:14:06 -0300
Subject: [PATCH 4/4] (fix) prevent double prefixing dependabot PRs

---
 .github/dependabot.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 4597f4e..643c9d3 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -14,7 +14,7 @@ updates:
       - "dependencies"
       - "python"
     commit-message:
-      prefix: "chore(deps)"
+      prefix: "chore"
       include: "scope"
     groups:
       python-dependencies:
@@ -42,7 +42,7 @@ updates:
       - "dependencies"
       - "github-actions"
     commit-message:
-      prefix: "chore(deps)"
+      prefix: "chore"
       include: "scope"
     groups:
       github-actions: