Skip Pro CI workflows for Dependabot PRs

[justin808]

Summary

• Add if: github.actor != 'dependabot[bot]' to the detect-changes job in all three Pro workflows (pro-integration-tests.yml, pro-lint.yml, pro-test-package-and-gem.yml)
• All downstream jobs need: detect-changes, so the entire workflow is skipped for Dependabot PRs
• Open-source CI workflows still run normally on Dependabot PRs

Closes #2171

Test plan

• Verify Dependabot PRs no longer trigger Pro workflows (check next Dependabot PR)
• Verify non-Dependabot PRs still trigger Pro workflows as before
• Verify workflow_dispatch still works with force_run

🤖 Generated with Claude Code

---

Note

Low Risk
Low risk: changes only add conditional guards to GitHub Actions workflows and refactor CLI logging/labels without altering core generation behavior.

Overview
Prevents Pro GitHub Actions workflows from running on Dependabot pull requests by adding an if guard to the shared detect-changes job in the Pro workflows, effectively skipping all downstream jobs that require Pro license secrets.

Refactors create-react-on-rails-app mode labeling to use explicit if/else precedence (--rsc over --pro) for both the generator step label (proModeLabel) and the initial console output (modeLabel).

^{Written by Cursor Bugbot for commit 07735a2. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• Chores
  • CI workflows updated to skip certain change-detection steps for Dependabot PRs, reducing unnecessary CI runs.
• Bug Fixes
  • Generator messaging adjusted so mode (pro vs. rsc) is determined and displayed more explicitly in create-app output and related error messages.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 71b7a69d-590c-4306-b95a-247413397cd8

📥 Commits

Reviewing files that changed from the base of the PR and between 8aadbff and 07735a2.

📒 Files selected for processing (5)

• .github/workflows/pro-integration-tests.yml
• .github/workflows/pro-lint.yml
• .github/workflows/pro-test-package-and-gem.yml
• packages/create-react-on-rails-app/src/create-app.ts
• packages/create-react-on-rails-app/src/index.ts

✅ Files skipped from review due to trivial changes (2)

• packages/create-react-on-rails-app/src/index.ts
• .github/workflows/pro-lint.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/pro-test-package-and-gem.yml
• .github/workflows/pro-integration-tests.yml

---

Walkthrough

The PR adds job-level guards to three Pro-related GitHub Actions workflows to skip the detect-changes job for Dependabot PRs, and refactors mode/label selection logic in two create-app TypeScript files to use explicit conditional assignments.

Changes

Cohort / File(s)	Summary
Pro workflow guards .github/workflows/pro-integration-tests.yml, .github/workflows/pro-lint.yml, .github/workflows/pro-test-package-and-gem.yml	Added `if: github.event_name != 'pull_request'
Create app mode/label logic packages/create-react-on-rails-app/src/create-app.ts, packages/create-react-on-rails-app/src/index.ts	Replaced compact ternary expressions with explicit let initialization and if / else if assignments for Pro/RSC mode label and modeLabel string construction to make mode selection logic more direct and readable.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through code with a twitch of my nose,
Skipping Pro checks where Dependabot goes,
Labels clarified, the logic made clear,
A tiny refactor — a happy cheer! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	Changes to create-app.ts and index.ts replacing nested ternaries with if/else statements are out of scope for the primary objective of skipping Pro workflows for Dependabot PRs.	Remove the unrelated lint fixes from this PR or move them to a separate PR focused on refactoring the ternary expressions to satisfy ESLint.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding conditions to skip Pro CI workflows for Dependabot pull requests across three workflow files.
Linked Issues check	✅ Passed	The PR implements the primary objective from issue #2171: preventing Dependabot PRs from failing Pro CI by adding conditions to skip the detect-changes job for Dependabot actors in three Pro workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jg/2171-skip-pro-ci-dependabot

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Condition skips Pro CI on main for Dependabot merges
  • Updated all three Pro workflow detect-changes job conditions to skip Dependabot only on pull_request events so push/main and workflow_dispatch still run.

Or push these changes by commenting:

@cursor push dfbe9e07b2

Preview (dfbe9e07b2)

diff --git a/.github/workflows/pro-integration-tests.yml b/.github/workflows/pro-integration-tests.yml
--- a/.github/workflows/pro-integration-tests.yml
+++ b/.github/workflows/pro-integration-tests.yml
@@ -27,7 +27,7 @@
 jobs:
   detect-changes:
     # Skip for Dependabot PRs — they can't access the Pro license secret
-    if: github.actor != 'dependabot[bot]'
+    if: github.event_name != 'pull_request' || github.actor != 'dependabot[bot]'
     permissions:
       contents: read
       actions: read

diff --git a/.github/workflows/pro-lint.yml b/.github/workflows/pro-lint.yml
--- a/.github/workflows/pro-lint.yml
+++ b/.github/workflows/pro-lint.yml
@@ -27,7 +27,7 @@
 jobs:
   detect-changes:
     # Skip for Dependabot PRs — they can't access the Pro license secret
-    if: github.actor != 'dependabot[bot]'
+    if: github.event_name != 'pull_request' || github.actor != 'dependabot[bot]'
     permissions:
       contents: read
       actions: read

diff --git a/.github/workflows/pro-test-package-and-gem.yml b/.github/workflows/pro-test-package-and-gem.yml
--- a/.github/workflows/pro-test-package-and-gem.yml
+++ b/.github/workflows/pro-test-package-and-gem.yml
@@ -27,7 +27,7 @@
 jobs:
   detect-changes:
     # Skip for Dependabot PRs — they can't access the Pro license secret
-    if: github.actor != 'dependabot[bot]'
+    if: github.event_name != 'pull_request' || github.actor != 'dependabot[bot]'
     permissions:
       contents: read
       actions: read

[claude]

The use of github.actor (rather than github.triggering_actor) means that manually re-running this workflow on a Dependabot PR will still be skipped, because github.actor stays as dependabot[bot] even when a human clicks Re-run. Only a workflow_dispatch with force_run: true can override this.

This is probably fine — it prevents accidental Pro-secret access — but worth a note so maintainers know the escape hatch:

Suggested change

	# Skip for Dependabot PRs — they can't access the Pro license secret
	# Skip for Dependabot PRs — they can't access the Pro license secret.
	# To run Pro CI on a Dependabot PR, use workflow_dispatch with force_run: true
	# (re-running the workflow will NOT help because github.actor stays as dependabot[bot]).
	if: github.actor != 'dependabot[bot]'

[claude]

Code Review

Overall: Correct, minimal, and safe. The three-line change is the right approach — gating detect-changes is enough to skip the entire downstream pipeline because all other jobs needs: detect-changes.

A few things worth knowing:

Re-run behaviour (inline comment posted): github.actor is frozen at the time the workflow was originally triggered, so manually clicking "Re-run" on a Dependabot PR still evaluates as dependabot[bot] and the job is skipped. The only way to force Pro CI on a Dependabot PR is workflow_dispatch with force_run: true. This is probably the right behaviour (prevents accidental secret exposure), but it's non-obvious. I've left a suggestion comment on the YAML to capture this.

Delayed detection of Pro-only breakages: Worth acknowledging explicitly — a dependency bump that breaks something Pro-specific won't surface until after merge, when the push to main fires with a human actor. For a future hardening step (not blocking this PR), adding Pro-specific dependencies to a Dependabot ignore list and bumping them manually would restore full CI coverage without the secret-access problem.

Actor string: 'dependabot[bot]' is the correct, GitHub-documented value. No change needed.

[greptile-apps]

Greptile Summary

This PR adds if: github.actor != 'dependabot[bot]' to the detect-changes job in all three Pro CI workflow files (pro-integration-tests.yml, pro-lint.yml, pro-test-package-and-gem.yml). Because every downstream job in these workflows already declares needs: detect-changes, skipping the gate job causes the entire workflow to be skipped for Dependabot PRs — preventing unnecessary failures caused by the inaccessible REACT_ON_RAILS_PRO_LICENSE_V2 secret.

Key points:

• The change is minimal, consistent, and correctly placed at the single fan-out gate job in each workflow.
• workflow_dispatch continues to work as expected because github.actor will be the human who manually triggered it.
• Push events to main from Dependabot will also be skipped — this is intentional since Dependabot can't supply the Pro license secret regardless of branch context.
• The dependabot[bot] string (including the [bot] suffix) is the canonical GitHub bot actor identifier, so a human GitHub user with a similar username would not be affected.

Confidence Score: 5/5

• This PR is safe to merge — the change is minimal, consistent across all three workflows, and uses the correct canonical bot actor identifier.
• Each workflow has a single gate job (detect-changes) that all other jobs already need; placing the condition there propagates the skip to every downstream job automatically with no further changes required. The dependabot[bot] string is the correct GitHub-issued actor name for Dependabot automation. Manual workflow_dispatch triggers are unaffected. No existing logic for non-Dependabot actors is altered.
• No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/pro-integration-tests.yml	Adds if: github.actor != 'dependabot[bot]' to detect-changes; all downstream jobs inherit the skip via needs.
.github/workflows/pro-lint.yml	Same Dependabot guard added to detect-changes; single downstream job pro-lint-js-and-ruby is automatically skipped.
.github/workflows/pro-test-package-and-gem.yml	Same Dependabot guard added to detect-changes; downstream jobs build-dummy-app-webpack-test-bundles, package-js-tests, and rspec-gem-specs are automatically skipped.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Workflow triggered] --> B{Is Dependabot actor?}
    B -- Yes --> C[detect-changes: SKIPPED]
    C --> D[All downstream jobs: SKIPPED]
    B -- No --> E[detect-changes: RUN]
    E --> F{force_run or full-ci label?}
    F -- Yes --> G[All downstream jobs: RUN]
    F -- No --> H[ci-changes-detector script]
    H --> I{Relevant changes?}
    I -- Yes --> G
    I -- No --> J[Downstream jobs: SKIPPED]

Loading

_{Reviews (1): Last reviewed commit: "Skip Pro CI workflows for Dependabot PRs..." | Re-trigger Greptile}

[claude]

Review: Skip Pro CI for Dependabot PRs

Overall: LGTM with one readability nit and a structural note.

GitHub Actions changes ✅

The detect-changes gating approach is well-chosen. Since all downstream jobs declare needs: detect-changes, skipping that one job cascades the skip to the entire Pro workflow — clean and DRY. The condition correctly handles all three event triggers:

Event	github.actor	Result
pull_request from Dependabot	dependabot[bot]	skipped ✓
pull_request from human	anything else	runs ✓
push to main (post-merge)	merger/GitHub	runs ✓
workflow_dispatch	any	runs ✓

One readability nit on the condition expression — see inline comment. Applies identically to all three workflow files.

TypeScript refactoring ✅ (but unrelated)

The proModeLabel / modeLabel refactors in create-app.ts and index.ts are functionally equivalent to the original nested ternaries — --rsc takes precedence over --pro in both the old and new code. No behavior change.

However, this refactoring is unrelated to the Dependabot CI fix. Bundling unrelated changes makes git blame and bisect noisier. Worth separating into a distinct commit (or PR) if you want a clean history.

No security concerns

The approach is sound: rather than trying to pass secrets to Dependabot PRs (which GitHub explicitly blocks), the entire Pro workflow is simply skipped. Post-merge push to main still validates the Pro suite with full secret access.

[claude]

Code Review - PR 2825

Overall: Ready to merge. The core change is correct and well-implemented.

GitHub Actions condition (3 workflow files)
The condition is:
if: github.event_name != 'pull_request' || github.actor != 'dependabot[bot]'

Logic verification:

• Dependabot pull_request event: FALSE OR FALSE = job skipped (correct)
• Human pull_request: FALSE OR TRUE = runs (correct)
• push to main after Dependabot merge: TRUE = runs (correct)
• workflow_dispatch: TRUE = runs (correct)

Note on PR description: The summary bullets describe the simpler
github.actor != 'dependabot[bot]' form (which would also suppress
push-to-main runs). The actual implementation uses the correctly-scoped
condition. Worth updating the description to avoid misleading future readers.

TypeScript changes (create-app.ts, index.ts)
Functionally equivalent refactors. The ternary
options.rsc ? ... : options.pro ? ... : '' is expanded to explicit
if/else with identical precedence (RSC over Pro). No behavioral change.
These changes are unrelated to the PR's stated purpose (Dependabot CI
skip), making this a mixed-scope PR. Not blocking, but worth noting for
changelog/bisect clarity.

Verified correct:

• 'dependabot[bot]' is the correct canonical GitHub actor string
• Condition applied consistently across all three Pro workflows
• Downstream jobs declare needs: detect-changes, so the gate propagates correctly

[claude]

Condition logic is correct. The github.event_name != 'pull_request' guard is essential — without it, push events triggered when a Dependabot PR is merged into main would also be skipped, silently leaving Pro CI dark on main after every Dependabot merge.

The PR description summary still says if: github.actor != 'dependabot[bot]' (the simpler, broader form). Worth updating the description to match the actual condition so the scoping intent is clear to future readers.

[claude]

Functionally equivalent to the previous ternary — RSC still takes precedence over --pro, and proModeLabel remains null when neither flag is set (which can only happen when proRequested is also false, so the null is never reached in a live code path).

One observation: these changes are unrelated to the PR's Dependabot CI purpose. Bundling them here makes future git bisect and changelog attribution harder. Consider a separate commit or PR for readability changes.

[justin808]

Re: the note about the TypeScript refactoring being unrelated — agreed they're separate concerns, and they're already in distinct commits (07735a248 for the ESLint fix vs 5bdbdd70f/8aadbffcf for the Dependabot CI change), so git blame/bisect will correctly attribute each change.

[github-actions]

size-limit report 📦

Path	Size
react-on-rails/client bundled (gzip)	62.63 KB (0%)
react-on-rails/client bundled (gzip) (time)	62.63 KB (0%)
react-on-rails/client bundled (brotli)	53.7 KB (0%)
react-on-rails/client bundled (brotli) (time)	53.7 KB (0%)
react-on-rails-pro/client bundled (gzip)	63.65 KB (0%)
react-on-rails-pro/client bundled (gzip) (time)	63.65 KB (-0.01% 🔽)
react-on-rails-pro/client bundled (brotli)	54.67 KB (0%)
react-on-rails-pro/client bundled (brotli) (time)	54.67 KB (0%)
registerServerComponent/client bundled (gzip)	127.46 KB (0%)
registerServerComponent/client bundled (gzip) (time)	127.46 KB (0%)
registerServerComponent/client bundled (brotli)	61.65 KB (0%)
registerServerComponent/client bundled (brotli) (time)	61.65 KB (0%)
wrapServerComponentRenderer/client bundled (gzip)	122.02 KB (0%)
wrapServerComponentRenderer/client bundled (gzip) (time)	122.02 KB (0%)
wrapServerComponentRenderer/client bundled (brotli)	56.77 KB (0%)
wrapServerComponentRenderer/client bundled (brotli) (time)	56.77 KB (0%)