diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index a0306ed..ba697bc 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -59,6 +59,11 @@ jobs: path-to-signatures: "signatures/version1/cla.json" path-to-document: "https://github.com/devicecloud-dev/dcd-cli/blob/dev/CLA.md" branch: "cla-signatures" + # Do NOT lock the PR on merge (the action's default is true). release-please + # comments on its release PR *after* merge; a locked conversation makes that + # comment fail and takes down the whole Release job (npm publish + binaries + # never run). Keeping this false is load-bearing for the release pipeline. + lock-pullrequest-aftermerge: false # Internal maintainers (covered by employment/CCLA) + bots skip the prompt. allowlist: riglar,finalerock44,dependabot[bot],renovate[bot],*[bot] # Customise the bot's prompts if desired: diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 3419419..1eac5d0 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -12,10 +12,11 @@ on: jobs: claude-review: - # The review needs CLAUDE_CODE_OAUTH_TOKEN, which is NOT exposed to PRs that - # run without secrets — Dependabot PRs and PRs from forks. Skip them so the - # check doesn't fail with an empty token; same-repo PRs only. - if: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }} + # Skip PRs we shouldn't (or can't) review: + # - Dependabot / forks: no CLAUDE_CODE_OAUTH_TOKEN, so the action would fail. + # - release-please release PRs: just version bumps + changelog — nothing to + # review, and it must never block a release. + if: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' && !startsWith(github.head_ref, 'release-please--') }} runs-on: ubuntu-latest permissions: contents: read