{{ message }}
fix(fro-bot): stop skipping issue_comment on PRs; require push+PR in prompt#2350
Merged
Conversation
…prompt Two related fixes to the fro-bot workflow: 1. Remove the `github.event.issue.pull_request == null` clause from the `if` condition. That clause was added during PR-fork hardening, but it also filters out every `@fro-bot` mention on a PR conversation thread: GitHub populates `issue.pull_request` (with the PR URL) for any comment on a PR, so the `== null` check always fails there. Result: dispatch-28186780497 (and earlier @-mentions on PRs) never reached the agent. The top-level `pull_request` fork hardening and the `author_association` (OWNER/MEMBER/COLLABORATOR) gate still block untrusted triggers. 2. Add an explicit DELIVERY CONTRACT to the AUTOHEAL_PROMPT. The same run wrote the fix to disk and stopped, reasoning that the 'caller workflow' would push and open a PR. There is no caller workflow — fro-bot is a single-step agent, and the agent that writes a fix is the agent that must ship it. The new contract requires creating a non-default branch, pushing it, and opening a PR (or updating an existing one) before the run ends, for every dispatched code change. Refs: https://github.com/bfra-me/.github/actions/runs/28186780497
Collaborator
Author
marcusrbrown
approved these changes
Jun 25, 2026
marcusrbrown
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Why this PR exists
The dispatch-28186780497 run (https://github.com/bfra-me/.github/actions/runs/28186780497) was tasked with fixing the bug that prevents
@fro-botmentions on PR conversation threads from reaching the agent. It successfully identified the bug, edited the file, wrote a changeset, validated YAML, and reported:There is no caller workflow.
fro-bot.yamlis a single-step agent — the run that writes a fix is the only run that ever will. The agent stopped at "written to disk" and the working tree was discarded with the runner. Two related issues:1. Workflow bug:
issue_commenton PRs was filtered outifcondition in.github/workflows/fro-bot.yaml:The
github.event.issue.pull_request == nullclause was added during PR-fork hardening, but it also blocks every@fro-botmention on a PR conversation thread: GitHub populatesissue.pull_request(with the PR URL) for any comment on a PR, so the== nullcheck always fails there. PR #2292, wheremarcusrbrowncommented@fro-bot rebase and update this PR, is a concrete example that never reached the agent.Safety after the fix:
pull_requestfork hardening is unchanged (only relevant forpull_request/pull_request_review_commentevents, which do have a top-levelpull_requestfield).author_associationgate (OWNER/MEMBER/COLLABORATOR) still blocks untrusted commenters.issue_commentevents do not have a top-levelpull_request, so the first outerifclause (github.event.pull_request == null || ...) is a no-op for them and remains unchanged.2. Prompt bug: agent stopped at "the caller will push"
The
AUTOHEAL_PROMPThad hard boundaries that said "Direct pushes are allowed only to an existing non-default PR branch you are repairing under category 1, 2, or 7." That clause covered repairs, not fresh fixes. The agent reasonably read it as "don't push" and waited for a caller that doesn't exist. New DELIVERY CONTRACT section makes it explicit that for every dispatched code change the agent itself must: create a non-default branch, commit, push, andgh pr create(or update an existing PR for the same root cause).Files
.github/workflows/fro-bot.yaml— remove the badifclause; clarify the "direct push" boundary; add DELIVERY CONTRACT to the prompt.changeset/fix-fro-bot-issue-comment-on-pr.md— patch-level changeset per project conventionsVerification
pnpm run type-check: cleanpnpm run lint: cleanpnpm test: 641 / 641 passingpython3 -c "import yaml; yaml.safe_load(...)": parses cleanlyiffor@fro-botmention on a PR comment by aMEMBER: outergithub.event.pull_request == nullis true (issue_comment has no top-levelpull_request, so||short-circuits); innergithub.event_name == 'issue_comment'true, body contains@fro-bottrue, login!= fro-bottrue, associationMEMBER∈ [OWNER,MEMBER,COLLABORATOR] true → workflow runs.Refs
78d0817andf192ba2@fro-bot rebase and update this PR)