Fix bot author allowlists (#3162)

## Summary - accept `keppo-bot[bot]` in GitHub Actions author checks that read raw `github.*` logins - switch Claude PR Review to `allowed_bots: \"keppo-bot[bot]\"` instead of treating the bot as a non-write user - trust `copilot-pull-request-reviewer` in the PR comment-fixing skill ## Test plan - `npm run fmt` - `npm run lint:fix` - `npm run ts` - `npm test` 🤖 Generated with [Claude Code](https://claude.com/claude-code)  --- <a href="https://app.devin.ai/review/dyad-sh/dyad/pull/3162" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a>  --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Will Chen <7344640+wwwillchen@users.noreply.github.com>

Fix bot author allowlists (#3162)
7b74c5f2 · keppo-bot[bot] · GitHub · 55e3ad70 · 7b74c5f2 · 7b74c5f2
--- a/.claude/skills/pr-fix-comments/SKILL.md
+++ b/.claude/skills/pr-fix-comments/SKILL.md
@@ -28,6 +28,7 @@ Only process review comments from these trusted authors. Comments from other aut
 **Trusted bots:**
+- copilot-pull-request-reviewer
 - gemini-code-assist
 - greptile-apps
 - cubic-dev-ai

--- a/.github/workflows/bugbot-trigger.yml
+++ b/.github/workflows/bugbot-trigger.yml
@@ -11,14 +11,11 @@ jobs:
  trigger-bugbot:
    environment: ai-bots
    # Only review code from regular contributors since bug bot has a capped # of PR reviews.
-    if: |
+    if: >-
-      (github.event.pull_request.user.login == 'wwwillchen' ||
+      contains(
-      github.event.pull_request.user.login == 'keppo-bot' ||
+        fromJSON('["wwwillchen","keppo-bot","keppo-bot[bot]","dyad-assistant","azizmejri1","princeaden1","nourzakhama2003","ryangroch"]'),
-      github.event.pull_request.user.login == 'dyad-assistant' ||
+        github.event.pull_request.user.login
-      github.event.pull_request.user.login == 'azizmejri1' ||
+      ) &&
-      github.event.pull_request.user.login == 'princeaden1' ||
-      github.event.pull_request.user.login == 'nourzakhama2003' ||
-      github.event.pull_request.user.login == 'ryangroch') &&
      !contains(github.event.pull_request.body, '#skip-bugbot') &&
      !contains(github.event.pull_request.body, '#skip-bb')
    runs-on: ubuntu-latest

--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -86,17 +86,20 @@ jobs:
            AUTHOR="${{ github.event.pull_request.user.login }}"
          fi
          echo "Author: $AUTHOR"
-          if [ "$AUTHOR" = "wwwillchen" ] || [ "$AUTHOR" = "keppo-bot" ] || [ "$AUTHOR" = "dyad-assistant" ] || [ "$AUTHOR" = "azizmejri1" ]; then
+          case "$AUTHOR" in
-            echo "is_privileged=true" >> $GITHUB_OUTPUT
+            wwwillchen|keppo-bot|keppo-bot[bot]|dyad-assistant|azizmejri1)
-          else
+              echo "is_privileged=true" >> $GITHUB_OUTPUT
-            echo "is_privileged=false" >> $GITHUB_OUTPUT
+              ;;
-          fi
+            *)
+              echo "is_privileged=false" >> $GITHUB_OUTPUT
+              ;;
+          esac
      # Sets the dynamic matrix for the build and e2e-tests jobs based on the PR author.
      # The "image" field is a JSON-encoded array string so that fromJSON() in runs-on
      # can produce the correct label(s) for both GitHub-hosted and self-hosted runners.
      #
-      # Privileged authors (wwwillchen, keppo-bot, dyad-assistant, azizmejri1):
+      # Privileged authors (wwwillchen, keppo-bot/keppo-bot[bot], dyad-assistant, azizmejri1):
      #   - Self-hosted macOS ARM64 runners, no Windows, no sharding.
      #
      #   build (macOS self-hosted) ──> e2e-tests (macOS self-hosted, shard 1/1)

--- a/.github/workflows/claude-pr-review.yml
+++ b/.github/workflows/claude-pr-review.yml
@@ -21,14 +21,11 @@ jobs:
    # It's also a safe-guard for preventing malicious PRs from doing bad things although we restrict
    # the permissions and tools allowed in this job.
    # https://github.com/anthropics/claude-code-action/blob/main/examples/pr-review-filtered-authors.yml
-    if: |
+    if: >-
-      github.event.pull_request.user.login == 'wwwillchen' ||
+      contains(
-      github.event.pull_request.user.login == 'keppo-bot' ||
+        fromJSON('["wwwillchen","keppo-bot","keppo-bot[bot]","dyad-assistant","azizmejri1","princeaden1","nourzakhama2003","ryangroch"]'),
-      github.event.pull_request.user.login == 'dyad-assistant' ||
+        github.event.pull_request.user.login
-      github.event.pull_request.user.login == 'azizmejri1' ||
+      )
-      github.event.pull_request.user.login == 'princeaden1' ||
-      github.event.pull_request.user.login == 'nourzakhama2003' ||
-      github.event.pull_request.user.login == 'ryangroch'
    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
@@ -62,7 +59,8 @@ jobs:
          # See: https://github.com/anthropics/claude-code-action/blob/v1/docs/security.md
          github_token: ${{ steps.app-token.outputs.token }}
-          allowed_non_write_users: "princeaden1,keppo-bot,dyad-assistant,nourzakhama2003,ryangroch" # remember, we already filter above.
+          allowed_non_write_users: "princeaden1,nourzakhama2003,ryangroch" # remember, we already filter above.
+          allowed_bots: "keppo-bot[bot]"
          # Disable progress tracking (try to save tokens)
          track_progress: false

--- a/.github/workflows/claude-rebase.yml
+++ b/.github/workflows/claude-rebase.yml
@@ -36,7 +36,7 @@ jobs:
          github-token: ${{ steps.base-app-token.outputs.token }}
          script: |
            const pr = context.payload.pull_request;
-            const allowedUsers = ['wwwillchen', 'keppo-bot', 'dyad-assistant', 'azizmejri1', 'princeaden1'];
+            const allowedUsers = ['wwwillchen', 'keppo-bot', 'keppo-bot[bot]', 'dyad-assistant', 'azizmejri1', 'princeaden1'];
            if (!allowedUsers.includes(pr.user.login)) {
              console.log(`PR author ${pr.user.login} is not allowed to use this workflow`);
              core.setOutput('should_continue', 'false');

--- a/.github/workflows/label-rebase-prs.yml
+++ b/.github/workflows/label-rebase-prs.yml
@@ -26,7 +26,7 @@ jobs:
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          script: |
-            const allowedAuthors = ['wwwillchen', 'keppo-bot', 'dyad-assistant'];
+            const allowedAuthors = ['wwwillchen', 'keppo-bot', 'keppo-bot[bot]', 'dyad-assistant'];
            const prs = await github.paginate(github.rest.pulls.list, {
              owner: context.repo.owner,

--- a/.github/workflows/pr-review-responder.yml
+++ b/.github/workflows/pr-review-responder.yml
@@ -65,7 +65,7 @@ jobs:
              // Check that the person who applied the label is a trusted actor
              const actor = context.actor;
-              const allowedActors = ['wwwillchen', 'keppo-bot', 'dyad-assistant'];
+              const allowedActors = ['wwwillchen', 'keppo-bot', 'keppo-bot[bot]', 'dyad-assistant'];
              if (!allowedActors.includes(actor)) {
                console.log(`Label applied by ${actor} who is not in the allowed actors list`);
                core.setOutput('should_continue', 'false');
@@ -128,8 +128,8 @@ jobs:
              prAuthor = pr.user.login;
            }
-            // Only allow wwwillchen, keppo-bot, dyad-assistant, and princeaden1 to use this workflow
+            const allowedAuthors = ['wwwillchen', 'keppo-bot', 'keppo-bot[bot]', 'dyad-assistant', 'princeaden1'];
-            if (prAuthor !== 'wwwillchen' && prAuthor !== 'keppo-bot' && prAuthor !== 'dyad-assistant' && prAuthor !== 'princeaden1') {
+            if (!allowedAuthors.includes(prAuthor)) {
              console.log(`PR #${prNumber} author ${prAuthor} is not allowed to use this workflow`);
              core.setOutput('should_continue', 'false');
              return;