gh-aw activation guard blocks Dependabot PRs with sender.type != 'Bot' condition

[Mossaka]

Problem

The gh-aw compiler generates an activation guard that explicitly blocks bot senders, which prevents Dependabot PRs from running agentic workflows like smoke tests.

In smoke-claude.lock.yml:54:

if: (github.event_name != 'pull_request' || (github.event.pull_request.head.repo.id == github.repository_id && github.event.sender.type != 'Bot'))

Dependabot's sender.type is 'Bot', so the activation job is skipped entirely — even if the secrets issue (see companion issue) is resolved.

Note: build-test.lock.yml does NOT have the sender.type != 'Bot' check, only the repo ID check, so it would work for Dependabot once secrets are available.

Context

This condition is generated by the gh-aw compiler, not manually authored. The sender.type != 'Bot' guard is a security measure to prevent untrusted bot actors from triggering agentic workflows. However, Dependabot is a trusted first-party GitHub bot operating on same-repo PRs.

Proposed Fix

This is an upstream issue in the gh-aw compiler. Possible approaches:

1. Allow trusted bots: Change the condition to allowlist specific trusted bots (e.g., dependabot[bot]) rather than blocking all bots
2. Remove bot check for same-repo PRs: The repo ID check (head.repo.id == repository_id) already guards against fork PRs. For same-repo PRs, the bot check may be unnecessary
3. Make it configurable: Add a frontmatter option to control whether bot senders are allowed

Related

• Dependabot PR failing CI: chore(deps): bump the all-docs-site-dependencies group in /docs-site with 5 updates #1707
• Companion issue: add secrets to Dependabot secrets store
• Upstream: gh-aw compiler generates this condition