hotdata-dev · zfarrell · Jun 8, 2026 · claude · Jun 8, 2026
diff --git a/.github/workflows/claude-pr-review.yml b/.github/workflows/claude-pr-review.yml
@@ -22,12 +22,12 @@ jobs:
         with:
           fetch-depth: 1
 
-      - name: Skip review for Dependabot bump
-        if: github.event.pull_request.user.login == 'dependabot[bot]'
-        run: echo "Dependabot bump — skipping Claude review."
-
+      # NOTE: Dependabot-triggered runs read from *Dependabot* secrets and get a
+      # read-only GITHUB_TOKEN. For Claude to review Dependabot PRs,
+      # HOTDATA_AUTOMATION_PRIVATE_KEY and ANTHROPIC_API_KEY must also be set as
+      # Dependabot secrets, and the App token (below) is used for any write
+      # operations since the default GITHUB_TOKEN cannot post comments here.
       - name: Generate GitHub App token
-        if: github.event.pull_request.user.login != 'dependabot[bot]'
         id: app-token
         uses: actions/create-github-app-token@v3.2.0
         with:
@@ -36,7 +36,6 @@ jobs:
           owner: hotdata-dev
 
       - uses: actions/checkout@v6.0.2
-        if: github.event.pull_request.user.login != 'dependabot[bot]'
         with:
           repository: hotdata-dev/github-workflows
           ref: main
@@ -46,7 +45,6 @@ jobs:
           sparse-checkout-cone-mode: false
 
       - name: Load review prompt
-        if: github.event.pull_request.user.login != 'dependabot[bot]'
         id: prompt
         run: |
           PROMPT=$(cat .github-workflows/docs/claude-pr-review-prompt.md)
@@ -55,11 +53,9 @@ jobs:
           echo "EOF" >> $GITHUB_OUTPUT
 
       - name: Verify jq is available
-        if: github.event.pull_request.user.login != 'dependabot[bot]'
         run: jq --version
 
       - name: Gather review context
-        if: github.event.pull_request.user.login != 'dependabot[bot]'
         id: context
         run: |
           PR_NUMBER=${{ github.event.pull_request.number }}
@@ -94,13 +90,13 @@ jobs:
           GH_TOKEN: ${{ github.token }}
 
       - uses: anthropics/claude-code-action@v1
-        if: github.event.pull_request.user.login != 'dependabot[bot]'
         id: review
         continue-on-error: true
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          github_token: ${{ steps.app-token.outputs.token }}
           track_progress: false
-          allowed_bots: "hotdata-automation[bot],aikido-autofix[bot]"
+          allowed_bots: "hotdata-automation[bot],aikido-autofix[bot],dependabot[bot]"
           prompt: |
             REPO: ${{ github.repository }}
             PR NUMBER: ${{ github.event.pull_request.number }}
@@ -117,7 +113,7 @@ jobs:
             --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr review:*),Read"
 
       - name: Notify on review failure
-        if: github.event.pull_request.user.login != 'dependabot[bot]' && (steps.review.outcome == 'failure' || steps.review.outcome == 'cancelled')
+        if: steps.review.outcome == 'failure' || steps.review.outcome == 'cancelled'
         run: gh pr comment ${{ github.event.pull_request.number }} --body "Automated review unavailable (Claude step failed). Please review manually."
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}