checkHumanActor fails with 404 for bot actors before checking allowed_bots configuration #900
Description
Describe the bug
The checkHumanActor function in agent mode fails with a 404 "Not Found" error for scheduled workflows before the allowed_bots configuration is checked. This makes the allowed_bots input ineffective for scheduled/cron-triggered workflows.
Root Cause
In src/github/validation/actor.ts, the function makes an API call before checking the allowed_bots list:
export async function checkHumanActor(octokit, githubContext) {
// This API call fails with 404 for bot accounts
const { data: userData } = await octokit.users.getByUsername({
username: githubContext.actor, // e.g., "github-merge-queue[bot]"
});
const actorType = userData.type;
// allowed_bots check happens AFTER the API call
if (actorType !== "User") {
const allowedBots = githubContext.inputs.allowedBots;
// ... check logic never reached if API call fails
}
}For bot actors like github-merge-queue[bot], octokit.users.getByUsername() returns 404 because bot accounts are not regular GitHub users accessible via the users API.
To Reproduce
- Create a scheduled GitHub Actions workflow using Claude Code action
- Configure
allowed_bots: 'github-merge-queue'(or any bot name) - Wait for the scheduled workflow to run
- Observe 404 error in the "Run test generation skill" step:
##[error]Prepare step failed with error: Not Found - https://docs.github.com/rest
Expected behavior
The allowed_bots check should happen before making the API call. If the actor matches the allowed bots pattern (including * for all bots), the function should return early without attempting the API call.
Proposed Fix
export async function checkHumanActor(octokit, githubContext) {
const allowedBots = githubContext.inputs.allowedBots;
// Check if all bots are allowed first (before any API call)
if (allowedBots.trim() === "*") {
console.log(`All bots are allowed, skipping human actor check`);
return;
}
// Check if specific bot is in allowed list (before API call)
const allowedBotsList = allowedBots
.split(",")
.map((bot) => bot.trim().toLowerCase().replace(/\[bot\]$/, ""))
.filter((bot) => bot.length > 0);
const actorName = githubContext.actor.toLowerCase().replace(/\[bot\]$/, "");
if (allowedBotsList.includes(actorName)) {
console.log(`Bot ${actorName} is in allowed list, skipping human actor check`);
return;
}
// Only make API call if actor is not in allowed list
const { data: userData } = await octokit.users.getByUsername({
username: githubContext.actor,
});
// ... rest of the function
}Workflow yml file
name: QA Auto Unit Test Generation
on:
schedule:
- cron: '0 7 * * 1-5'
workflow_dispatch:
permissions:
contents: write
pull-requests: write
issues: write
id-token: write
actions: read
jobs:
generate-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Generate GitHub App token
id: generate-token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Run test generation skill
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
github_token: ${{ steps.generate-token.outputs.token }}
prompt: '/qa-add-missing-tests'
# This workaround doesn't work because API call fails first
allowed_bots: 'github-merge-queue'Screenshots
Failed run: https://github.com/theydo/theydo/actions/runs/21662465661/job/62450052698
Error output:
##[group]Run anthropics/claude-code-action@v1
anthropic_api_key: ***
claude_args: --allowedTools "Read,Edit,Write,Bash,Glob,Grep,Task"
trigger_phrase: @claude
...
##[error]Prepare step failed with error: Not Found - https://docs.github.com/rest
Related Issues
- Claude doesn't work in cron jobs #814 - Similar issue with scheduled workflows, but describes 401 OIDC errors. This issue describes the 404 error from
getByUsernameAPI call.
API Provider
[x] Anthropic First-Party API (default)
[ ] AWS Bedrock
[ ] GCP Vertex