ci: isolate dependency guard backfill label (#87882)

RomneyDa · web-flow · commit 21b33bd04df2 · 2026-05-28T21:21:13.000-07:00
diff --git a/.github/workflows/auto-response.yml b/.github/workflows/auto-response.yml
@@ -19,6 +19,13 @@ permissions: {}
 
 jobs:
   auto-response:
+    if: >-
+      ${{
+        !(
+          (github.event.action == 'labeled' || github.event.action == 'unlabeled') &&
+          github.event.label.name == 'dependency-guard-backfill'
+        )
+      }}
     permissions:
       contents: read
       issues: write
diff --git a/.github/workflows/clawsweeper-dispatch.yml b/.github/workflows/clawsweeper-dispatch.yml
@@ -24,7 +24,17 @@ concurrency:
 jobs:
   dispatch:
     runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'issue_comment' || !(endsWith(github.actor, '[bot]') && (github.event.action == 'labeled' || github.event.action == 'unlabeled')) }}
+    if: >-
+      ${{
+        github.event_name == 'issue_comment' ||
+        (
+          !(
+            (github.event.action == 'labeled' || github.event.action == 'unlabeled') &&
+            github.event.label.name == 'dependency-guard-backfill'
+          ) &&
+          !(endsWith(github.actor, '[bot]') && (github.event.action == 'labeled' || github.event.action == 'unlabeled'))
+        )
+      }}
     env:
       HAS_CLAWSWEEPER_APP_PRIVATE_KEY: ${{ secrets.CLAWSWEEPER_APP_PRIVATE_KEY != '' }}
       CLAWSWEEPER_APP_CLIENT_ID: Iv23liOECG0slfuhz093
diff --git a/.github/workflows/real-behavior-proof.yml b/.github/workflows/real-behavior-proof.yml
@@ -16,6 +16,13 @@ permissions: {}
 jobs:
   real-behavior-proof:
     name: Real behavior proof
+    if: >-
+      ${{
+        !(
+          (github.event.action == 'labeled' || github.event.action == 'unlabeled') &&
+          github.event.label.name == 'dependency-guard-backfill'
+        )
+      }}
     permissions:
       contents: read
       issues: read
diff --git a/test/scripts/dependency-guard-workflow.test.ts b/test/scripts/dependency-guard-workflow.test.ts
@@ -4,6 +4,11 @@ import { parse } from "yaml";
 
 const WORKFLOW = ".github/workflows/dependency-guard.yml";
 const CODEOWNERS = ".github/CODEOWNERS";
+const BACKFILL_EXCLUDED_WORKFLOWS = [
+  [".github/workflows/auto-response.yml", "auto-response"],
+  [".github/workflows/clawsweeper-dispatch.yml", "dispatch"],
+  [".github/workflows/real-behavior-proof.yml", "real-behavior-proof"],
+];
 
 type WorkflowStep = {
   name?: string;
@@ -33,6 +38,10 @@ function readWorkflow(): Workflow {
   return parse(readFileSync(WORKFLOW, "utf8")) as Workflow;
 }
 
+function readWorkflowFile(path: string): Workflow {
+  return parse(readFileSync(path, "utf8")) as Workflow;
+}
+
 describe("dependency guard workflow", () => {
   it("uses the dependency guard check name", () => {
     const parsed = readWorkflow();
@@ -57,6 +66,16 @@ describe("dependency guard workflow", () => {
     expect(job?.if).toContain("github.event.label.name == 'dependency-guard-backfill'");
   });
 
+  it("keeps the temporary backfill label from waking unrelated PR automation", () => {
+    for (const [workflowFile, jobName] of BACKFILL_EXCLUDED_WORKFLOWS) {
+      const job = readWorkflowFile(workflowFile).jobs?.[jobName];
+
+      expect(job?.if).toContain("github.event.action == 'labeled'");
+      expect(job?.if).toContain("github.event.action == 'unlabeled'");
+      expect(job?.if).toContain("github.event.label.name == 'dependency-guard-backfill'");
+    }
+  });
+
   it("uses a metadata-only pull_request_target workflow with minimal write permissions", () => {
     const workflow = readFileSync(WORKFLOW, "utf8");
     const parsed = readWorkflow();
