CI: trigger BrowserStack directly on Dependabot PRs

[zinduolis]

Category

Core Functionality (CI / GitHub Actions)

Feature/Issue Description

Q: Please give a brief summary of your feature/fix

A: The BrowserStack workflow never ran on Dependabot PRs even though the safe_to_test label was being applied. GitHub deliberately prevents events created by the default GITHUB_TOKEN from triggering other workflows (to avoid recursive loops), so the label re-add performed by dependabot_auto_label.yml could never start the BrowserStack run listening on types: [ labeled ]. This fix triggers BrowserStack directly for Dependabot PRs and removes the redundant auto-label workflow.

Q: Give a technical rundown of what you have changed (if applicable)

A:

• .github/workflows/github_actions.yml
  • Widened the trigger from types: [ labeled ] to types: [ opened, synchronize, reopened, labeled ] so Dependabot PRs start the workflow on their normal lifecycle events — no cross-workflow event chaining required.
  • Broadened the job condition to auto-run for Dependabot while keeping the manual opt-in for humans:

    if: >-
      (github.event.pull_request.user.login == 'dependabot[bot]' && github.event.action != 'labeled') ||
      github.event.label.name == 'safe_to_test'

    The && github.event.action != 'labeled' guard stops the labels Dependabot adds to its own PRs (dependencies, ruby, …) from each kicking off a redundant run, since opened/synchronize already cover it. On non-label events github.event.label is null, so the second clause is simply false.
  • Scoped the "Remove safe_to_test label" step with if: github.event.action == 'labeled' so it stays a no-op on Dependabot runs while preserving the re-trigger behaviour for human PRs.
• Deleted .github/workflows/dependabot_auto_label.yml. Its only job was to add safe_to_test via GITHUB_TOKEN, which never triggered anything; with BrowserStack triggering directly it has no remaining function.

Security note: pull_request_target runs in the base-repo context with secret access and the workflow checks out github.event.pull_request.head.sha — this is unchanged from today. Auto-running is limited to dependabot[bot], a trusted first-party bot that only modifies dependency manifests. The safe_to_test label gate remains the path for any non-Dependabot/external PRs; the auto-trigger is intentionally not broadened to arbitrary contributors.

Test Cases

Q: Describe your test cases, what you have covered and if there are any use cases that still need addressing.

A: Workflow YAML validated (no syntax/diagnostic issues). Behaviour to confirm on the next Dependabot PR against master:

• A Dependabot opened/synchronize/reopened event starts exactly one BrowserStack run (no duplicate run from Dependabot's own label additions).
• A human PR manually labelled safe_to_test still triggers the run and the label is removed by the first step.
• A non-safe_to_test label on a non-Dependabot PR does not trigger a run.
  The full end-to-end BrowserStack execution depends on repository secrets and can only be exercised in CI on the upstream repo.

Wiki Page

N/A — internal CI behaviour, no user-facing feature.