Fix PR review workflow condition to avoid undefined property access#2157
Closed
Fix PR review workflow condition to avoid undefined property access#2157
Conversation
The previous condition structure could fail when evaluating properties like github.event.label.name or github.event.requested_reviewer.login, even when those branches of the OR expression should be short-circuited. This restructures the condition to: 1. Group non-label triggers (opened, ready_for_review, review_requested) together with the author_association check 2. Isolate the label trigger separately so github.event.label is only accessed when action == 'labeled' This matches the working pattern used in OpenHands/OpenHands. Co-authored-by: openhands <openhands@all-hands.dev>
enyst
reviewed
Feb 20, 2026
enyst
reviewed
Feb 20, 2026
Collaborator
enyst
left a comment
enyst
left a comment
There was a problem hiding this comment.
Sorry, I didn't mean it, but it's funny! I suspect with reasonable -ish confidence that the reason for the failures may be this:
I set the workflow under condition that the author is collaborator or member or owner.
But the workflow doesn't seem able to retrieve 'member' or 'owner', because the org doesn't provide that data? 😅
Result: AH folks are not recognized, while my account is still acceptable ("collaborator"):
Contributor
Author
|
Closing in favor of @enyst 's correct solution |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the PR review workflow which has been skipping 94% of runs since the security hardening change on Feb 20.
Problem
Since commit 795e20d (Clinejection hardening), only 2 out of 32 workflow runs succeeded - both from the
openedevent on non-draft PRs. All other triggers (ready_for_review,labeled,review_requested) were being skipped.Root Cause
The condition structure evaluated properties like
github.event.label.nameandgithub.event.requested_reviewer.logineven when those event types weren't triggered. GitHub Actions expressions may not properly short-circuit when accessing properties on undefined objects, causing the entire condition to fail.Before (broken):
Solution
Restructure the condition to isolate each trigger type, ensuring event-specific properties are only accessed when that event type is active:
This matches the working pattern used in
OpenHands/OpenHands.Testing
After this PR merges, triggering any of these should work:
ready_for_review- convert draft PR to readylabeled- addreview-thislabelreview_requested- request review fromopenhands-agentorall-hands-botRelated
This fix only applies to
software-agent-sdk. Other repos (runtime-api,deploy) use an older condition format that doesn't have this issue.@neubig can click here to continue refining the PR
Agent Server images for this PR
• GHCR package: https://github.com/OpenHands/agent-sdk/pkgs/container/agent-server
Variants & Base Images
eclipse-temurin:17-jdknikolaik/python-nodejs:python3.12-nodejs22golang:1.21-bookwormPull (multi-arch manifest)
# Each variant is a multi-arch manifest supporting both amd64 and arm64 docker pull ghcr.io/openhands/agent-server:27e4f6f-pythonRun
All tags pushed for this build
About Multi-Architecture Support
27e4f6f-python) is a multi-arch manifest supporting both amd64 and arm6427e4f6f-python-amd64) are also available if needed