Exclude bot accounts (e.g. coderabbitai) from auto-assignment

[Jayant2908]

Closes #98
This PR updates BLT-Action’s auto-assignment logic so that bot and GitHub App accounts are never assigned when they comment with /assign (or equivalent keywords). Only real user accounts (user.type === "User") can trigger assignment/unassignment now, which prevents tools like CodeRabbit from being auto-assigned to issues/PRs.

What’s changed

1. Assignment flow now ignores non-user accounts

• In the issue_comment handler, the action now checks the commenter’s user.type.

• If the commenter is not a regular user (for example, type is Bot), the action logs a “Skipping /assign from non-user account” message and returns early.

• This guarantees that bot or GitHub App comments cannot trigger self-assignment.

2. Unassignment flow aligned with the same rule

• The same user.type === "User" check is applied in the unassignment path so that bots also cannot trigger unassignment commands.

• This keeps behavior consistent between assignment and unassignment.

3. Clearer logging

• When a non-user account is skipped, the logs now include the login and account type.

• This makes it obvious in the Actions logs why a /assign comment from a bot did not result in an assignment.

4. No change for human users

• For normal GitHub users, behavior remains the same:

• /assign still attempts to assign the commenter.

How this was tested

Local testing was done using act against a BLT fork with a small “Bounty Test” workflow that invokes BLT-Action on issue_comment events and passes a GitHub token via secrets.

Two event payloads were used:

1. Human commenter scenario

• Event JSON where comment.user.type is User.

• The action processed the /assign comment and attempted to assign the human account to the issue, as expected.

2. Bot commenter scenario

• Event JSON where comment.user.type is Bot and the login is coderabbitai.

• The action processed the comment but logged a message indicating that it was skipping /assign for a non-user account, and did not attempt to call the GitHub API to add assignees.

This confirms that human users can still use /assign normally, while bot accounts are now safely ignored by the auto-assignment logic.
All existing validation and checks remain in place.

Summary by CodeRabbit

• New Features

  • Assignment/unassignment commands now only accept inputs from human users (mannequin accounts included); bot accounts and GitHub Apps are ignored.

• Tests

  • Added tests covering human vs non-human commenter handling, command recognition, and mannequin account behavior.

• Documentation

  • Updated README, Usage, and testing docs to note bot/GitHub App exclusion and the new test group.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds utilities to detect human commenters and a guard in comment handling that blocks /assign and /unassign commands when the commenter is a non-human account (Bot or GitHub App). Tests and docs were added/updated to validate and document the guard.

Changes

Cohort / File(s)	Summary
Bot Guard Implementation src/index.js, src/utils.js	Add isHumanCommenter() and extractUserInfo() in src/utils.js; integrate a guard in src/index.js that detects /assign and /unassign and returns early (logs and blocks) when the commenter is a non-human account (Bot or GitHub App).
Tests src/mock-test.js	Add "Human commenter guard for /assign and /unassign" test suite covering human users, mannequin accounts, bots, and GitHub Apps; verifies guard behavior and command detection.
Documentation / Guides README.md, USAGE.md, TESTING.md	Update notes to state assignment/unassignment commands are restricted to human users (bots and GitHub Apps excluded); add testing matrix entries for the new guard tests.

Sequence Diagram

sequenceDiagram
    participant GitHub as GitHub Event
    participant Index as index.js
    participant Utils as utils.js
    participant Assign as Assignment Logic

    GitHub->>Index: deliver comment event
    Index->>Index: parse comment for /assign or /unassign
    Index->>Utils: isHumanCommenter(comment)?
    alt Human (User / Mannequin)
        Utils-->>Index: true
        Index->>Assign: proceed with assignment/unassignment
        Assign-->>Index: operation result
        Index-->>GitHub: respond/complete
    else Non-human (Bot / App)
        Utils-->>Index: false
        Index->>Index: log guard message and return early
        Index-->>GitHub: no assignment performed
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: excluding bot accounts from auto-assignment, which is the primary objective of this PR.
Linked Issues check	✅ Passed	The PR fully meets the objectives from issue #98 by implementing bot/app account filtering in assignment and unassignment logic, with proper user type validation.
Out of Scope Changes check	✅ Passed	All changes directly support the core objective of preventing bot/app auto-assignment: new utility functions for user type checking, guard logic in index.js, comprehensive tests, and documentation updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/mock-test.js`:
- Around line 490-497: Update the test data to use GitHub's actual bot account
type: change the appComment object's user.type from 'App' to 'Bot' in the mock
where appComment is defined (the block that builds appComment and asserts
isHumanCommenter(appComment) is false). Keep the existing assertions and
variable names (appComment, botComment) and ensure isHumanCommenter is still
called for both.

🧹 Nitpick comments (1)

src/mock-test.js (1)

453-467: Good test setup, but consider sharing the keywords constant.

The assignKeywords array is duplicated from src/index.js. If the keywords are updated in the main file, these tests could become stale without anyone noticing.

Consider exporting assignKeywords from a shared constants module or directly from index.js to keep them in sync:

// In a shared constants file or export from index.js
module.exports = { assignKeywords, unassignKeywords };

// In tests
const { assignKeywords } = require('../src/constants');

[Jayant2908]

@coderabbitai Can you check if this PR covers everything from the PR #99 , also can you check if assigning to copilot is still possible as maintainer sometimes assigns copilot.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch PR `#99` details
gh pr view 99 --repo OWASP-BLT/BLT-Action --json title,body,state,files,author

# Read the current implementation in src/index.js to understand how assignment works
cat src/index.js

Length of output: 45761

---

🏁 Script executed:

#!/bin/bash
# Read src/utils.js to see the implementation of isHumanCommenter
cat src/utils.js

Length of output: 799

---

@Jayant2908, I've analyzed both PRs. Here's what I found:

Coverage Comparison: PR #104 vs PR #99

PR #104 covers everything from PR #99 and MORE:

1. ✅ Core functionality: Both PRs block bots/GitHub Apps from triggering /assign and /unassign
2. ✅ Same files modified: src/index.js, src/utils.js, src/mock-test.js, dist/index.js
3. ✅ Enhanced scope: PR #104 goes further by also allowing Mannequin accounts (imported user accounts from other platforms) to use assignment commands, while PR #99 only allowed User type

From src/utils.js:

function isHumanCommenter(comment) {
    return (
        comment.user &&
        (comment.user.type === 'User' || comment.user.type === 'Mannequin')
    );
}

Verdict: PR #104 is essentially PR #99 with the Mannequin enhancement.

---

Copilot Assignment Question

Important clarification about how /assign works:

The /assign command in BLT-Action always assigns the commenter themselves, not a mentioned user. Looking at the code:

const assigneeLogin = comment.user.login; // Always the commenter

Can maintainers still assign Copilot?

1. ❌ Not via /assign command:

   • If Copilot comments /assign, it's blocked (bot account)
   • If a maintainer comments /assign @copilot``, the maintainer gets assigned, not Copilot (the command doesn't support @ mentions)

2. ✅ Yes, via GitHub UI:

   • Maintainers can still manually assign Copilot through GitHub's assignee dropdown/UI
   • Manual UI assignments completely bypass this GitHub Action
   • The guard only affects the /assign and /unassign comment commands

Recommendation: If maintainers need to assign Copilot or other bots, they should continue using GitHub's native assignment UI. The /assign command is designed for self-assignment by human contributors only.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find documentation files in the repository
fd -e md -t f . --max-depth 3

# Read README.md if it exists
if [ -f "README.md" ]; then
  echo "=== README.md ==="
  cat README.md
fi

# Check for CONTRIBUTING.md
if [ -f "CONTRIBUTING.md" ]; then
  echo "=== CONTRIBUTING.md ==="
  cat CONTRIBUTING.md
fi

# Check for docs folder
if [ -d "docs" ]; then
  echo "=== docs folder contents ==="
  find docs -name "*.md" -type f -exec echo "File: {}" \; -exec cat {} \;
fi

# Search for any mentions of /assign in markdown files
echo "=== Mentions of /assign in .md files ==="
rg -n "/assign" --type=md -C 2

Length of output: 15107

---

@Jayant2908, here are the minimum code changes needed for documentation:

File 1: README.md

Location: In the "Assignment Commands" section (around line 155-170)

 #### Assignment Commands
 - **Self-assign to an issue**: Comment any of these on an issue:
   - `/assign`
   - `assign to me`
   - `assign this to me`
   - `work on this`
   - `i can try fixing this`
   - `i am interested in doing this`
   - `i am interested in contributing`
+  
+  **Note**: Only human users can use assignment commands. Bot accounts and GitHub Apps are automatically excluded from assignment/unassignment.
   
   The action will:
   - Check if you have any other open assigned issues without pull requests
   - Assign you if eligible and add an "assigned" label
   - Give you 24 hours to submit a pull request
   
 - **Unassign yourself**: Comment `/unassign` on the issue
   - Removes you from the issue
   - Removes the "assigned" label
   - Makes the issue available for others

---

File 2: USAGE.md

Location: In the "Features" section (around line 15-17)

 ## Features
 
-- **Assignment Management**: Users self-assign via `/assign` or natural language phrases
+- **Assignment Management**: Human users self-assign via `/assign` or natural language phrases (bot accounts and GitHub Apps are excluded)
 - **Unassignment**: Users can unassign via `/unassign`
 - **Stale Issue Handling**: Auto-unassigns after 24 hours of inactivity without a PR

---

That's it! These are the absolute minimum changes needed:

• ✅ 1 note added to README.md explaining the restriction
• ✅ 1 parenthetical clarification in USAGE.md

Both changes clearly communicate that bot accounts and GitHub Apps cannot use /assign or /unassign commands, which is the core functionality of PR #104.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@TESTING.md`:
- Line 167: Update the summary table row that currently reads "| **Total** |
**17** | **✅** |" to reflect the correct total of 22 tests (i.e., change 17 to
22) so it matches the count stated on line 15 and includes the 5 new Human
Commenter Guard tests.
- Line 58: Replace the malformed header line "#### 8.   (5 tests)" with a
properly formatted test-group header following the pattern used elsewhere, e.g.
"#### 8. Human Commenter Guard (5 tests)"; locate the header by searching for
the exact string "#### 8.   (5 tests)" and update it to include the title "Human
Commenter Guard" and normalize spacing to match "#### N. Title (X tests)".

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@TESTING.md`:
- Line 15: Update the summary line in TESTING.md that currently reads "Total: 22
tests across 6 categories" to reflect the correct number of categories (change
"6" to "8") so it matches the listed categories (Assignment Management, Label
Management, Giphy Integration, Kudos System, Command Detection, Attribution,
Error Handling, Human Commenter Guard); ensure the updated string remains
consistent with the document's formatting.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@TESTING.md`:
- Line 15: Replace the emphasized summary line using a proper Markdown heading
to satisfy MD036; change the bold line "**Total: 22 tests across 8 categories**"
to an appropriate heading (e.g., "## Total: 22 tests across 8 categories") in
TESTING.md so the summary is a real heading instead of emphasis-as-heading.

[Jayant2908]

@coderabbitai Can you check if all issues have fixed!?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

# Check PR `#104` review status, comments, and approval state
echo "=== PR `#104` Status ==="
gh pr view 104 --repo OWASP-BLT/BLT-Action --json title,state,reviews,reviewDecision,comments

echo -e "\n=== Review comments on PR `#104` ==="
gh pr view 104 --repo OWASP-BLT/BLT-Action --comments

echo -e "\n=== Current README.md (relevant section) ==="
# Check if documentation changes were applied
rg -n -A 5 "Assignment Commands|Bot accounts" README.md || echo "Pattern not found in README.md"

echo -e "\n=== Current USAGE.md (Features section) ==="
rg -n -A 3 -B 2 "Assignment Management|Features" USAGE.md || echo "Pattern not found in USAGE.md"

echo -e "\n=== Check for any CI/test failures ==="
gh pr checks 104 --repo OWASP-BLT/BLT-Action

Length of output: 53667

---

🏁 Script executed:

#!/bin/bash

# Read TESTING.md to check the current state of line 15
echo "=== TESTING.md line 15 area ==="
sed -n '10,20p' TESTING.md

echo -e "\n=== Check for any bold text being used as headings ==="
rg -n '^\*\*.*\*\*$' TESTING.md

echo -e "\n=== All actual headings in TESTING.md ==="
rg -n '^#{1,6} ' TESTING.md

Length of output: 1649

---

@Jayant2908, great progress! Almost all issues have been fixed. Here's the status:

✅ Resolved Issues

1. Documentation updates - Both implemented successfully:

   • ✅ README.md: Bot protection note added at line 171
   • ✅ USAGE.md: Bot exclusion noted for both Assignment and Unassignment features (lines 15-16)

2. Code implementation - All working correctly:

   • ✅ Bot guard logic in src/index.js
   • ✅ Utility functions in src/utils.js
   • ✅ Comprehensive tests in src/mock-test.js

3. CI checks - Passing:

   • ✅ CodeRabbit review completed successfully

❌ Remaining Issue (1)

TESTING.md - MD036 linting violation:

Line 15 and a few other lines use bold emphasis instead of proper Markdown headings, which violates the MD036 rule.

Current (incorrect):

**Total: 22 tests across 8 categories**

Should be:

## Total: 22 tests across 8 categories

Quick fix needed for these lines:

• Line 15: **Total: 22 tests across 8 categories** → ## Total: 22 tests across 8 categories
• Line 70: **Tests include:** → #### Tests include:
• Line 111: **Checks:** → #### Checks:
• Line 119: **Steps:** → #### Steps:

Once you convert these bold lines to proper headings, all issues will be resolved! 🎉

[Jayant2908]

This document error is followed throughout the doc. All other issues have been fixed.

[Nachiket-Roy]

LGTM!! also i think we only have /unassign command not any other phrases so some tests can be removed safely.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@TESTING.md`:
- Around line 58-64: The header "#### 8. Human Commenter Guard (5 tests)" is
inconsistent with the actual four tests in the suite; update the header in
TESTING.md to "#### 8. Human Commenter Guard (4 tests)" so it matches the four
`it` blocks in src/mock-test.js (the Human Commenter Guard test suite), or
alternatively add the missing fifth `it` in src/mock-test.js if you intended
five tests—prefer the minimal fix of changing the header to (4 tests).

♻️ Duplicate comments (2)

TESTING.md (2)

15-15: Use a real heading instead of bold emphasis (MD036).

✅ Proposed fix

-**Total: 21 tests across 8 categories**
+#### Total: 21 tests across 8 categories

---

165-166: Summary table totals likely omit the tip test.

src/mock-test.js includes a “tip comment” test (lines 218-244) that isn’t reflected in the summary table, so the total of 21 may be undercounted. Consider adding a category row and updating totals, or explicitly folding that test into an existing category.

📝 Example update (add Tip Requests row)

 | Error Handling | 3 | ✅ |
+| Tip Requests | 1 | ✅ |
 | Human Commenter Guard | 4 | ✅ |
-| **Total** | **21** | **✅** |
+| **Total** | **22** | **✅** |