From 2e2d0973ae45ae7125a8b14f07c2e257f29f4531 Mon Sep 17 00:00:00 2001
From: Derek Misler <derekmisler@gmail.com>
Date: Tue, 12 May 2026 21:23:54 +0000
Subject: [PATCH 1/2] fix: prevent bot-triggered PR review loops

Guards previously relied on a single bare-string literal ('docker-agent')
and/or the sender.type == 'Bot' heuristic. PAT-based bots have type 'User',
so those checks were silently missed. Additionally several workflow branches
had no actor check at all.

Changes:
- self-review-pr-trigger.yml: extend save-context job guard to also reject
  'docker-agent[bot]', any user.type == 'Bot', and comments bearing the
  <!-- cagent-review --> or <!-- cagent-review-reply --> HTML markers.
  The marker check is self-healing across identity changes.

- self-review-pr.yml: add actor + marker guard to the issue_comment branch
  of the review job (previously had no actor check at all).

- review-pr.yml (review job, issue_comment branch): add the same actor +
  marker guard. The bot's own comments can no longer queue a review run.

- review-pr.yml (review job, pull_request non-review_requested branch):
  tighten sender check from type != 'Bot' to also reject
  sender.login == 'docker-agent' and 'docker-agent[bot]', covering PAT
  machine-user accounts whose type is 'User'.

- review-pr.yml (reply-to-feedback artifact path): add missing
  comment-author-type != 'Bot' check to match the parity of the direct
  path and reply-to-mention's artifact branch.

- review-pr/README.md: add the same job-level if: guard to the
  pr-review-trigger.yml consumer template so copy-paste deployments are
  protected out of the box.
---
 .github/workflows/review-pr.yml              | 12 +++++++++---
 .github/workflows/self-review-pr-trigger.yml |  7 ++++++-
 .github/workflows/self-review-pr.yml         |  7 ++++++-
 review-pr/README.md                          |  6 ++++++
 4 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/review-pr.yml b/.github/workflows/review-pr.yml
index f233f34..74ff8f4 100644
--- a/.github/workflows/review-pr.yml
+++ b/.github/workflows/review-pr.yml
@@ -141,8 +141,14 @@ jobs:
     needs: [resolve-context]
     if: |
       always() && (
-        (github.event_name == 'issue_comment' && github.event.issue.pull_request) ||
-        (github.event_name == 'pull_request' && github.event.action != 'review_requested' && github.event.sender.type != 'Bot') ||
+        (github.event_name == 'issue_comment' &&
+         github.event.issue.pull_request &&
+         github.event.comment.user.login != 'docker-agent' &&
+         github.event.comment.user.login != 'docker-agent[bot]' &&
+         github.event.comment.user.type != 'Bot' &&
+         !contains(github.event.comment.body, '<!-- cagent-review -->') &&
+         !contains(github.event.comment.body, '<!-- cagent-review-reply -->')) ||
+        (github.event_name == 'pull_request' && github.event.action != 'review_requested' && github.event.sender.type != 'Bot' && github.event.sender.login != 'docker-agent' && github.event.sender.login != 'docker-agent[bot]') ||
         (github.event_name == 'pull_request' && github.event.action == 'review_requested' && github.event.requested_reviewer.login == 'docker-agent') ||
         inputs.pr-number != '' ||
         (needs.resolve-context.result == 'success' && needs.resolve-context.outputs.trigger-event == 'pull_request')
@@ -372,7 +378,7 @@ jobs:
     if: |
       always() && needs.resolve-context.result != 'failure' && (
         (github.event_name == 'pull_request_review_comment' && github.event.comment.in_reply_to_id && github.event.comment.user.login != 'docker-agent' && github.event.comment.user.type != 'Bot') ||
-        (needs.resolve-context.result == 'success' && needs.resolve-context.outputs.trigger-event == 'pull_request_review_comment' && needs.resolve-context.outputs.comment-in-reply-to-id != '' && needs.resolve-context.outputs.comment-author != 'docker-agent')
+        (needs.resolve-context.result == 'success' && needs.resolve-context.outputs.trigger-event == 'pull_request_review_comment' && needs.resolve-context.outputs.comment-in-reply-to-id != '' && needs.resolve-context.outputs.comment-author != 'docker-agent' && needs.resolve-context.outputs.comment-author-type != 'Bot')
       )
     runs-on: ubuntu-latest
     permissions:
diff --git a/.github/workflows/self-review-pr-trigger.yml b/.github/workflows/self-review-pr-trigger.yml
index ffa8123..97f403e 100644
--- a/.github/workflows/self-review-pr-trigger.yml
+++ b/.github/workflows/self-review-pr-trigger.yml
@@ -9,7 +9,12 @@ permissions: {}
 
 jobs:
   save-context:
-    if: github.event.comment.user.login != 'docker-agent'
+    if: >
+      github.event.comment.user.login != 'docker-agent' &&
+      github.event.comment.user.login != 'docker-agent[bot]' &&
+      github.event.comment.user.type != 'Bot' &&
+      !contains(github.event.comment.body, '<!-- cagent-review -->') &&
+      !contains(github.event.comment.body, '<!-- cagent-review-reply -->')
     runs-on: ubuntu-latest
     steps:
       - name: Save event context
diff --git a/.github/workflows/self-review-pr.yml b/.github/workflows/self-review-pr.yml
index 961621e..ecd8514 100644
--- a/.github/workflows/self-review-pr.yml
+++ b/.github/workflows/self-review-pr.yml
@@ -12,7 +12,12 @@ permissions:
 jobs:
   review:
     if: |
-      github.event_name == 'issue_comment' ||
+      (github.event_name == 'issue_comment' &&
+       github.event.comment.user.login != 'docker-agent' &&
+       github.event.comment.user.login != 'docker-agent[bot]' &&
+       github.event.comment.user.type != 'Bot' &&
+       !contains(github.event.comment.body, '<!-- cagent-review -->') &&
+       !contains(github.event.comment.body, '<!-- cagent-review-reply -->')) ||
       github.event.workflow_run.conclusion == 'success'
     uses: docker/cagent-action/.github/workflows/review-pr.yml@f208610469d69f20983cad64c577949a132caa33 # v1.5.3
     permissions:
diff --git a/review-pr/README.md b/review-pr/README.md
index e77ef61..6e95e9d 100644
--- a/review-pr/README.md
+++ b/review-pr/README.md
@@ -56,6 +56,12 @@ permissions: {}
 
 jobs:
   save-context:
+    if: >
+      github.event.comment.user.login != 'docker-agent' &&
+      github.event.comment.user.login != 'docker-agent[bot]' &&
+      github.event.comment.user.type != 'Bot' &&
+      !contains(github.event.comment.body, '<!-- cagent-review -->') &&
+      !contains(github.event.comment.body, '<!-- cagent-review-reply -->')
     runs-on: ubuntu-latest
     steps:
       - name: Save event context

From 2282e92e9218299cddda2cc290beedd0cb20e54e Mon Sep 17 00:00:00 2001
From: Derek Misler <derekmisler@gmail.com>
Date: Tue, 12 May 2026 21:33:33 +0000
Subject: [PATCH 2/2] fix: add docker-agent[bot] login guard and update README
 caller template
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- review-pr.yml: reply-to-feedback artifact path now also rejects
  comment-author == 'docker-agent[bot]', matching the parity pattern
  used in all other multi-identity guards throughout the file.

- review-pr/README.md: the consumer pr-review.yml caller template's
  review job if: condition now mirrors self-review-pr.yml — the bare
  'issue_comment' branch is replaced with a 6-condition guard that
  rejects both docker-agent login variants, type==Bot accounts, and
  any comment bearing the <!-- cagent-review --> or
  <!-- cagent-review-reply --> HTML markers.
---
 .github/workflows/review-pr.yml | 2 +-
 review-pr/README.md             | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/review-pr.yml b/.github/workflows/review-pr.yml
index 74ff8f4..d70fa31 100644
--- a/.github/workflows/review-pr.yml
+++ b/.github/workflows/review-pr.yml
@@ -378,7 +378,7 @@ jobs:
     if: |
       always() && needs.resolve-context.result != 'failure' && (
         (github.event_name == 'pull_request_review_comment' && github.event.comment.in_reply_to_id && github.event.comment.user.login != 'docker-agent' && github.event.comment.user.type != 'Bot') ||
-        (needs.resolve-context.result == 'success' && needs.resolve-context.outputs.trigger-event == 'pull_request_review_comment' && needs.resolve-context.outputs.comment-in-reply-to-id != '' && needs.resolve-context.outputs.comment-author != 'docker-agent' && needs.resolve-context.outputs.comment-author-type != 'Bot')
+        (needs.resolve-context.result == 'success' && needs.resolve-context.outputs.trigger-event == 'pull_request_review_comment' && needs.resolve-context.outputs.comment-in-reply-to-id != '' && needs.resolve-context.outputs.comment-author != 'docker-agent' && needs.resolve-context.outputs.comment-author-type != 'Bot' && needs.resolve-context.outputs.comment-author != 'docker-agent[bot]')
       )
     runs-on: ubuntu-latest
     permissions:
diff --git a/review-pr/README.md b/review-pr/README.md
index 6e95e9d..4df7a0d 100644
--- a/review-pr/README.md
+++ b/review-pr/README.md
@@ -103,7 +103,12 @@ permissions:
 jobs:
   review:
     if: |
-      github.event_name == 'issue_comment' ||
+      (github.event_name == 'issue_comment' &&
+       github.event.comment.user.login != 'docker-agent' &&
+       github.event.comment.user.login != 'docker-agent[bot]' &&
+       github.event.comment.user.type != 'Bot' &&
+       !contains(github.event.comment.body, '<!-- cagent-review -->') &&
+       !contains(github.event.comment.body, '<!-- cagent-review-reply -->')) ||
       github.event.workflow_run.conclusion == 'success'
     uses: docker/cagent-action/.github/workflows/review-pr.yml@VERSION
     permissions: