Skip to main content

Knowledge-sync-gate Dependabot exemption

Decision

Add if: github.actor != 'dependabot[bot]' to the knowledge-sync-gate job in knowledge-sync-gate.yml across all three code repositories. This causes the gate to be skipped entirely for Dependabot-triggered PRs.

Applied identically in:

  • PR churchwiseai-web #444 (merged 2026-05-12)
  • PR pewsearch #40 (merged 2026-05-12)
  • PR ITW #23 (merged 2026-05-12)

Context

The knowledge-sync-gate.yml workflow clones the private knowledge repo using KNOWLEDGE_REPO_TOKEN (a GitHub PAT) to run changed-files-to-docs.ts and check whether changed code files have paired knowledge doc updates.

GitHub's security policy explicitly does not expose repository secrets to Dependabot-triggered workflow runs. When Dependabot opens a PR to bump a package version, the workflow triggers but KNOWLEDGE_REPO_TOKEN is undefined — the clone step fails with a 128 authentication error, and the gate permanently blocks the PR regardless of any override label.

Why Dependabot PRs don't need the knowledge-sync check

Dependabot PRs bump package.json versions and lockfiles (pnpm-lock.yaml, package-lock.json). These files:

  1. Are not referenced as code-files in any knowledge/ document's frontmatter.
  2. Do not change business logic, API contracts, DB schema, or customer-facing flows.
  3. Never require a paired knowledge doc update (a lockfile bump has no knowledge docs to sync).

The changed-files-to-docs.ts script would return zero matching docs for these files even if it could run — the exemption is semantically correct, not just a technical workaround.

What the exemption does NOT change

  • Human-authored PRs that happen to include a package bump alongside real code changes: the if: check fires on the PR actor (github.actor). If the author is a human (not dependabot[bot]), the gate runs normally. The exemption is strictly scoped to the Dependabot bot account.
  • The gate still runs for all PRs where github.actor is any human or other GitHub App actor.
  • The knowledge-sync-updated and knowledge-sync-override labels still work as before for human PRs.

Supplements

knowledge/decisions/2026-04-24-knowledge-sync-gate.md — the original gate ADR. This decision is an amendment/supplement to that record; it does not supersede it.