WIP [2026-03-04 10:49:27]

Signed-off-by: Derek Misler <derek.misler@docker.com>

Author: derekmisler

action.yml

@@ -192,6 +192,7 @@ runs:
         ACTION_PATH: ${{ github.action_path }}
         # Get author_association from comment events (the main risk)
         COMMENT_ASSOCIATION: ${{ github.event.comment.author_association }}
+        COMMENT_USER_LOGIN: ${{ github.event.comment.user.login }}
         DEBUG: ${{ inputs.debug }}
       run: |
         # Only enforce auth for comment-triggered events
@@ -202,6 +203,13 @@ runs:
           exit 0
         fi
 
+        # Allow our own GitHub App bot to trigger reviews (e.g., auto-triage posts /review)
+        if [ "$COMMENT_USER_LOGIN" = "docker-agent[bot]" ]; then
+          echo "ℹ️ Skipping auth check (trusted bot: $COMMENT_USER_LOGIN)"
+          echo "authorized=bot" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+
         echo "Using comment author_association: $COMMENT_ASSOCIATION"
 
         # Allowed roles (hardcoded for security - cannot be overridden)