Shopify · byrichardpowell · Apr 21, 2026 · Apr 21, 2026
@@ -2,18 +2,22 @@ name: Gardener - Notify Event
 # Tiny event capturer: stashes the triggering issue/PR payload as an artifact
 # for `gardener-notify-slack.yml` to pick up via workflow_run.
 #
+# Fires when `devtools-gardener` is applied manually, or automatically for
+# Dependabot-opened PRs (which we always want in Slack). Other `opened`
+# events are ignored — auto-labeling everything turned out too noisy.
+#
 # Why two workflows? When Dependabot triggers a workflow, GitHub forces
 # GITHUB_TOKEN to read-only and hides Actions secrets — so labeling and
-# Slack posting from this workflow would fail on every Dependabot PR. A
+# Slack posting from this workflow would fail on Dependabot PRs. A
 # workflow_run-triggered follow-up runs in the default-branch context with
 # full permissions and secret access, regardless of the upstream actor.
 #
-# Uses pull_request_target so fork-opened PRs still produce an artifact.
-# No code is checked out here; this workflow only reads the pre-parsed
-# event payload, so there is no pwn-request surface.
+# Uses pull_request_target so fork PRs still produce an artifact when
+# labeled. No code is checked out here; this workflow only reads the
+# pre-parsed event payload, so there is no pwn-request surface.
 on:
   issues:
-    types: [opened, labeled]
+    types: [labeled]
   pull_request_target:
     types: [opened, labeled]
 
@@ -22,7 +26,9 @@ permissions:
 
 jobs:
   capture:
-    if: github.event.action == 'opened' || github.event.label.name == 'devtools-gardener'
+    if: >-
+      github.event.label.name == 'devtools-gardener' ||
+      (github.event.action == 'opened' && github.event.pull_request.user.login == 'dependabot[bot]')
     runs-on: ubuntu-latest
     steps:
       - name: Stash event payload

@@ -1,11 +1,15 @@
 name: Gardener - Notify Slack
-# Runs after `Gardener - Notify Event` completes and does the real work:
-# applies the devtools-gardener label and posts a summary to Slack.
+# Runs after `Gardener - Notify Event` completes. Posts a summary to Slack,
+# and for Dependabot-opened PRs also applies the `devtools-gardener` label
+# (so Dependabot PRs show up in the gardener flow without a human having
+# to label them).
 #
 # The workflow_run trigger runs this job in the default-branch context with
 # full GITHUB_TOKEN permissions and Actions secret access — this is what
 # lets it succeed for Dependabot-opened PRs, where the upstream event
-# workflow can't label or reach secrets directly.
+# workflow can't label or reach secrets directly. Labels applied here via
+# GITHUB_TOKEN do not trigger another `labeled` run (loop prevention), so
+# Slack only gets one post per PR.
 on:
   workflow_run:
     workflows: ['Gardener - Notify Event']
@@ -34,23 +38,21 @@ jobs:
           run-id: ${{ github.event.workflow_run.id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Add devtools-gardener label
+      - name: Add devtools-gardener label to Dependabot PR
         if: steps.download.outcome == 'success'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_REPO: ${{ github.repository }}
         run: |
           ACTION=$(jq -r '.action' event.json)
-          # On `labeled` events the label is already there — skip.
-          if [ "$ACTION" != "opened" ]; then
+          LOGIN=$(jq -r '.pull_request.user.login // ""' event.json)
+          # Only the Dependabot-opened path needs labeling here. On manual
+          # `labeled` events the label is already on the PR/issue.
+          if [ "$ACTION" != "opened" ] || [ "$LOGIN" != "dependabot[bot]" ]; then
             exit 0
           fi
-          NUMBER=$(jq -r '(.issue // .pull_request).number' event.json)
-          if jq -e 'has("pull_request")' event.json > /dev/null; then
-            gh pr edit "$NUMBER" --add-label devtools-gardener
-          else
-            gh issue edit "$NUMBER" --add-label devtools-gardener
-          fi
+          NUMBER=$(jq -r '.pull_request.number' event.json)
+          gh pr edit "$NUMBER" --add-label devtools-gardener
 
       - name: Post to Slack
         if: steps.download.outcome == 'success'