test: verify visible automatic bonk wrapper (updated)

[geoquant]

Fourth smoke-test PR for the automatic Bonk workflow.

This PR targets main so the smoke test reflects the real protected-branch flow after the bonk-check context/concurrency polish in PR #357.

Expected behavior for this smoke test:

• a visible automatic /bonk review comment appears on the PR
• Bonk runs and leaves a review without a human typing /bonk
• the PR remains blocked on main

---

• Reviews
  • bonk has reviewed the change
  • automated review not possible because: this PR exists only to verify the Bonk workflow changes themselves
• Tests
  • Tests included/updated
  • Automated tests not possible - manual testing has been completed as follows:
  • Additional testing not necessary because: this PR only adds a markdown smoke-test file to exercise the workflow behavior under test

[github-actions]

/bonk review

Triggered automatically for this PR.

[ask-bonk]

Review Summary

This PR refactors the Bonk automation workflow to provide automatic /bonk review triggers on PRs. This is a well-structured change that improves the developer experience by eliminating the manual /bonk comment step.

Changes Overview

1. bonk-check.yml - Major refactor:

• Switches from issue_comment/pull_request/pull_request_review triggers to pull_request_target (for automatic triggering on PR open/update/ready)
• Adds workflow_dispatch for manual testing capability
• Introduces proper concurrency control with cancel-in-progress: true
• Posts a visible automatic /bonk review comment (with <!-- auto-bonk --> marker to prevent duplicates)
• Dispatches the bonk.yml workflow via GitHub API

2. bonk.yml - Adds workflow_dispatch support:

• New workflow_dispatch trigger with PR metadata inputs
• Conditional logic to skip setup steps (pnpm, Node, deps) for auto-dispatched runs
• New "Run automatic Bonk review" job for workflow_dispatch events

3. bigbonk.yml - Cleanup:

• Removes unused pull_request_review trigger

4. Test file:

• AUTO_BONK_SMOKE_TEST_4.md - Simple smoke test file as described

Correctness & Security

• pull_request_target usage: Appropriately used here since the workflow needs write permissions (PR comments, workflow dispatch) and only operates on PR metadata, not untrusted code
• actions: write permission: Required for the gh api call to dispatch the bonk.yml workflow - this is the minimal required permission
• Concurrency handling: Properly uses cancel-in-progress: true in bonk-check.yml to prevent redundant runs
• Draft PR handling: Correctly skips automatic bonk for draft PRs

Suggestions

1. Line 115-121 in bonk-check.yml: The summary step uses ${{ steps.pr.outputs.number }} directly in the shell command. Consider quoting to handle any edge cases, though GitHub Actions automatically handles numeric outputs safely.

2. The AUTO_BONK_SMOKE_TEST_4.md file should be removed before merge since it's only for testing the workflow.

Overall, this is a clean implementation that improves the PR review workflow. The logic is sound and the security considerations are appropriately addressed.

[pkg-pr-new]

npm i https://pkg.pr.new/@cloudflare/kumo@361

commit: e966a41

[github-actions]

Docs Preview

View docs preview

Commit: e966a41