fix(ci): stop bonk-check from failing on status writes

[geoquant]

Fixes failing Bonk Check job: https://github.com/cloudflare/kumo/actions/runs/23924593430/job/69779025414

The Bonk Check workflow was failing in Post commit status with Resource not accessible by integration (HTTP 403) when it tried to create a commit status from PR/review contexts.

This change removes the manual commit-status API call and lets the workflow job itself be the required pass/fail signal instead. It also fixes a false-negative on pull_request_review: the old script only scanned issue comments, so /bonk in a review body did not satisfy the check.

Specifically, this PR:

• removes statuses: write from the workflow permissions
• drops the gh api .../statuses/... step that was causing the 403
• fails the workflow normally when /bonk has not been called by a collaborator
• recognizes /bonk in review bodies as well as PR comments
• uses more robust JSON/base64 parsing for comment bodies instead of sed splitting

---

• Reviews
  • bonk has reviewed the change
  • automated review not possible because: this PR fixes the Bonk check workflow itself, and the failing check is the thing being changed
• Tests
  • Tests included/updated
  • Automated tests not possible - manual testing has been completed as follows:
  • Additional testing not necessary because: the change is isolated to GitHub Actions workflow logic and directly removes the failing 403 status-write path confirmed in the job logs

[geoquant]

/bonk review

[pkg-pr-new]

npm i https://pkg.pr.new/@cloudflare/kumo@356

commit: 4d3e984

[ask-bonk]

This is a solid fix that addresses the 403 error by removing the problematic commit status API call. The approach of letting the workflow job itself be the pass/fail signal is cleaner and more robust.

Highlights:

• Removing statuses: write permission and the gh api .../statuses/... call correctly fixes the 403 error from fork PRs
• Adding pull_request_review body checking fixes the false-negative where /bonk in review comments wasn't recognized
• Using @base64 encoding with jq for parsing is much more robust than the previous sed approach
• The set -euo pipefail addition improves shell script safety

Minor suggestion: Consider consolidating the duplicate output writes (lines 53-55 and 70-71 both write found=true and bonk_user) into a single location at the end of the script for better maintainability. Not blocking - the current approach works correctly.

[ask-bonk]

I've completed the review for PR #356. Here's a summary:

Review submitted: View review

Assessment: This is a solid fix that properly addresses the failing Bonk Check workflow. The key improvements are:

1. Fixes the 403 error - Removes statuses: write permission and the commit status API call that was failing from fork PR contexts
2. Fixes the false-negative - Now recognizes /bonk in review bodies, not just issue comments
3. More robust parsing - Uses @base64 encoding with jq instead of sed splitting, which handles special characters better
4. Better shell safety - Added set -euo pipefail

Minor non-blocking suggestion: The script writes found=true and bonk_user in two different places (lines 53-55 and 70-71). This could be consolidated at the end for better maintainability, but the current approach works correctly.

The PR correctly identifies and fixes the root cause - the commit status API requires elevated permissions that aren't available when workflows run from fork PRs. Using the workflow's own pass/fail state as the required check signal is the right approach.

github run

[github-actions]

Docs Preview

View docs preview

Commit: 4d3e984

[geoquant]

Closing in favor of a single self-contained follow-up PR that replaces the manual /bonk gate with automatic Bonk reviews on PR open/update.

[ask-bonk]

This is a well-structured fix that correctly addresses the root cause of the failing Bonk Check workflow.

Key improvements:

1. Fixes the 403 error - Removing statuses: write permission and the commit status API call is the right approach. Fork PRs don't have access to write commit statuses via the API.

2. Fixes the false-negative on reviews - Adding pull_request_review body checking ensures /bonk in review comments is properly recognized, not just issue comments.

3. More robust parsing - Using @base64 encoding with jq instead of sed 's/ ||| .*//' is much safer and handles special characters correctly.

4. Better shell practices - set -euo pipefail and quoted variable expansions improve script reliability.

5. Cleaner architecture - Using the workflow job's own pass/fail state as the required check signal is simpler and more idiomatic than manually posting commit statuses.

Minor non-blocking suggestion: Consider consolidating the duplicate output writes (lines 53-55 and 70-71 both write found=true and bonk_user). You could set these once at the end based on the FOUND variable's final state.

Overall, this is a solid improvement that removes the failing code path and fixes the review body detection issue.

[ask-bonk]

Non-blocking suggestion: Consider consolidating these output writes with the identical block at line 70. You could set found and bonk_user once at the end of the script based on the final FOUND value to reduce duplication.

[ask-bonk]

I've completed my review of PR #356 and approved it. Here's my assessment:

Summary

This is a well-structured fix that correctly addresses the root cause of the failing Bonk Check workflow.

Key Improvements

1. Fixes the 403 error — Removing statuses: write permission and the commit status API call is the correct approach. Fork PRs don't have access to write commit statuses via the API.

2. Fixes the false-negative on reviews — Adding pull_request_review body checking ensures /bonk in review comments is properly recognized, not just issue comments.

3. More robust parsing — Using @base64 encoding with jq instead of sed 's/ ||| .*//' is much safer and handles special characters correctly.

4. Better shell practices — set -euo pipefail and quoted variable expansions improve script reliability.

5. Cleaner architecture — Using the workflow job's own pass/fail state as the required check signal is simpler and more idiomatic than manually posting commit statuses.

Minor Non-blocking Suggestion

I noted that the output writes (found=true and bonk_user) appear in two places (lines 53-55 and 70-71). These could be consolidated at the end of the script based on the final FOUND value, but this is not blocking.

Overall: Solid improvement that removes the failing code path and fixes the review body detection issue. ✅

github run