feat: disable fix agent auto-run on human-authored PRs

[ascerra]

Summary

• When a human submits a PR, the fix agent no longer auto-triggers after the review agent requests changes. This is the new default behavior for human-authored PRs.
• Bot-authored PRs (from the code agent) continue the existing auto-fix behavior unchanged.
• Humans can opt in to the review-fix loop by adding the fullsend-fix label to their PR. The existing /fix slash command is unaffected.
• Defense-in-depth check added in reusable-fix.yml so the fix agent itself validates PR author + label before running, even if a dispatcher bug lets an ineligible dispatch through.

Files changed

File	Change
.github/workflows/fullsend.yaml	Gate dispatch-fix-bot on PR author being a bot OR having fullsend-fix label
.github/workflows/reusable-dispatch.yml	Add PR_USER_LOGIN env var; wrap fix stage routing in author/label check
.github/workflows/reusable-fix.yml	Rename "Check fullsend-no-fix label" to "Check fix eligibility"; add human-PR + label validation
internal/scaffold/fullsend-repo/.github/workflows/dispatch.yml	Mirror reusable-dispatch changes for per-repo installs; bump max-lines 380→385

Test plan

E2E tested in ascerra-fullsend-lab org with per-repo install on human-pr-fix-test repo:

1. Human PR, no label (PR #1) — fix agent SKIPPED ✅

• Review: https://github.com/ascerra-fullsend-lab/.fullsend/actions/runs/25836235094
• Shim skipped dispatch-fix-bot: https://github.com/ascerra-fullsend-lab/human-pr-fix-test/actions/runs/25836370170

2. Human PR, fullsend-fix label (PR #2) — fix agent auto-triggered ✅

• Review: https://github.com/ascerra-fullsend-lab/.fullsend/actions/runs/25837485822
• Shim dispatched fix: https://github.com/ascerra-fullsend-lab/human-pr-fix-test/actions/runs/25837620440
• Fix agent succeeded: https://github.com/ascerra-fullsend-lab/.fullsend/actions/runs/25837623950

3. Bot PR, no label (PR #4, author: ascerra-fullsend-lab-coder[bot]) — fix agent auto-triggered ✅

• Code agent created PR: https://github.com/ascerra-fullsend-lab/.fullsend/actions/runs/25838129538
• Review requested changes: https://github.com/ascerra-fullsend-lab/.fullsend/actions/runs/25838396492
• Shim dispatched fix (no label needed): https://github.com/ascerra-fullsend-lab/human-pr-fix-test/actions/runs/25838580565
• Fix agent succeeded: https://github.com/ascerra-fullsend-lab/.fullsend/actions/runs/25838584099

Other checks

• make lint passes (except pre-existing lychee not-found)
• hack/lint-workflow-size passes
• make go-vet passes
• No secret leaks in diff

[github-actions]

fullsend review is working on this — view logs

[github-actions]

Site preview

Preview: https://12ebe775-site.fullsend-ai.workers.dev

Commit: fa639dd7f69b62fb3e434c7aee4d25760f9659e7

[fullsend-ai-review]

Review: #906

Head SHA: fa639dd
Timestamp: 2026-05-14T00:00:00Z
Outcome: approve

Summary

Clean, well-layered change that gates the fix agent on PR authorship. Human-authored PRs no longer auto-trigger the fix loop after review requests changes — humans must opt in via the fullsend-fix label. Bot-authored PRs retain existing behavior. The gate is implemented at three layers (job-level if in fullsend.yaml, bash routing in the dispatch workflows, and a defense-in-depth self-check in reusable-fix.yml), providing good redundancy. All four files are internally consistent, the per-repo scaffold mirrors the reusable workflow changes, and the logic fails closed when PR_USER_LOGIN is empty or the gh pr view query fails.

Findings

Critical

None.

High

None.

Medium

None.

Low

None.

Info

• [correctness] reusable-fix.yml — The defense-in-depth check uses .author.login from gh pr view while the dispatch layers use github.event.pull_request.user.login. These are semantically equivalent (both return the PR creator's login), but the field name difference is worth noting for future maintainers.

• [style] internal/scaffold/fullsend-repo/.github/workflows/dispatch.yml:1 — The max-lines bump from 380→385 correctly accounts for the 3 net new lines plus margin. Reasonable.

Footer

Outcome: approve
This review applies to SHA fa639dd7f69b62fb3e434c7aee4d25760f9659e7. Any push to the PR head clears this review and requires a new evaluation.

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml
• .github/workflows/reusable-dispatch.yml
• .github/workflows/reusable-fix.yml

Previous run

Review: #906

Head SHA: 3700dd3
Timestamp: 2026-05-14T00:00:00Z
Outcome: approve

Summary

This PR cleanly gates fix-agent auto-dispatch on PR authorship: bot-authored PRs continue the existing auto-fix loop, while human-authored PRs skip it unless the fullsend-fix label is present. The implementation applies the check at three layers — the dispatch-fix-bot shim job condition in fullsend.yaml, the routing logic in both reusable-dispatch.yml and the per-repo scaffold dispatch.yml, and a defense-in-depth validation inside reusable-fix.yml itself. All three layers are consistent and fail-closed (if PR_USER_LOGIN is empty or author info is unavailable, the fix agent does not run). The fullsend-no-fix label retains precedence over fullsend-fix. The /fix slash command is correctly unaffected since it routes through the issue_comment path with its own authorization checks.

Findings

No critical, high, medium, or low findings.

Info

• [correctness] reusable-fix.yml:249-255 — The gh pr view fallback || echo '{"labels":[],"author":""}' correctly produces fail-closed behavior: an empty author won't match [bot]$, and empty labels won't contain fullsend-fix. Good defensive coding.

• [correctness] fullsend.yaml:205 / reusable-dispatch.yml:188 — The bot-detection heuristic (endsWith(..., '[bot]') / =~ \[bot\]$) relies on GitHub's reserved [bot] suffix for app-installed bot accounts. This is reliable since GitHub prevents human users from registering usernames containing [bot].

• [style] internal/scaffold/fullsend-repo/.github/workflows/dispatch.yml:1 — The max-lines bump from 380 to 385 is appropriate for the 3 net new lines added.

Footer

Outcome: approve
This review applies to SHA 3700dd30b3de8a87a67ac95595b5fc7ad74f969d. Any push to the PR head clears this review and requires a new evaluation.

---

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

• .github/workflows/fullsend.yaml
• .github/workflows/reusable-dispatch.yml
• .github/workflows/reusable-fix.yml

[github-actions]

fullsend review is working on this — view logs

[ralphbean]

LGTM — clean, consistent three-layer gate with good defense-in-depth. One minor note inline.

[ralphbean]

[minor] The /fix slash command path (~line 128) intentionally bypasses this gate — authorized users can trigger fix without the fullsend-fix label. A brief comment here noting that distinction would help future maintainers. (Noted, deferring.)