ci: require Mantis app for QA comments (#76834)

2026-05-06 11:20:43 +00:00 · 2026-05-03 18:08:46 +01:00
parent bd0e10a2f6
commit 2416bc668c
2 changed files with 7 additions and 7 deletions
--- a/.github/workflows/mantis-discord-status-reactions.yml
+++ b/.github/workflows/mantis-discord-status-reactions.yml
@@ -33,7 +33,6 @@ env:
  PNPM_VERSION: "10.33.0"
  OPENCLAW_BUILD_PRIVATE_QA: "1"
  OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
-  HAS_MANTIS_GITHUB_APP: ${{ secrets.MANTIS_GITHUB_APP_ID != '' && secrets.MANTIS_GITHUB_APP_PRIVATE_KEY != '' }}

 jobs:
  authorize_actor:
@@ -269,7 +268,7 @@ jobs:

      - name: Create Mantis GitHub App token
        id: mantis_app_token
-        if: ${{ always() && inputs.pr_number != '' && env.HAS_MANTIS_GITHUB_APP == 'true' }}
+        if: ${{ always() && inputs.pr_number != '' }}
        uses: actions/create-github-app-token@v3
        with:
          app-id: ${{ secrets.MANTIS_GITHUB_APP_ID }}
@@ -283,11 +282,12 @@ jobs:
      - name: Comment PR with inline QA screenshots
        if: ${{ always() && inputs.pr_number != '' && steps.run_mantis.outputs.output_dir != '' }}
        env:
-          GH_TOKEN: ${{ steps.mantis_app_token.outputs.token || github.token }}
+          GH_TOKEN: ${{ steps.mantis_app_token.outputs.token }}
          TARGET_PR: ${{ inputs.pr_number }}
          ARTIFACT_URL: ${{ steps.upload_artifact.outputs.artifact-url }}
          BASELINE_SHA: ${{ needs.validate_refs.outputs.baseline_revision }}
          CANDIDATE_SHA: ${{ needs.validate_refs.outputs.candidate_revision }}
+          MANTIS_COMMENT_BOT_LOGIN: openclaw-mantis-qa[bot]
        shell: bash
        run: |
          set -euo pipefail
@@ -366,7 +366,7 @@ jobs:

          comment_id="$(
            gh api --paginate "repos/${GITHUB_REPOSITORY}/issues/${TARGET_PR}/comments" \
-              --jq '.[] | select(.body | contains("<!-- mantis-discord-status-reactions -->")) | .id' \
+              --jq ".[] | select(.body | contains(\"<!-- mantis-discord-status-reactions -->\")) | select(.user.login == \"${MANTIS_COMMENT_BOT_LOGIN}\") | .id" \
              | tail -n 1
          )"

--- a/docs/concepts/mantis.md
+++ b/docs/concepts/mantis.md
@@ -355,9 +355,9 @@ messages, and other bulky evidence stay in the Actions artifact.
 Production workflows should post those comments with the Mantis GitHub App, not
 with `github-actions[bot]`. Store the app id and private key as
 `MANTIS_GITHUB_APP_ID` and `MANTIS_GITHUB_APP_PRIVATE_KEY` GitHub Actions
-secrets. If those secrets are missing, the workflow may fall back to
-`github-actions[bot]` for local bring-up, but that is not the desired long-term
-identity.
+secrets. The workflow should update an existing Mantis-owned comment when one
+exists; if only an older `github-actions[bot]` comment exists, it should create a
+new Mantis-owned comment instead of rewriting the legacy bot comment.

 The PR comment should be short and visual: