fix: estc-pr-buildkite-detective bot allowlist, noop safe-output, and PR discovery

[Copilot]

This PR fixes three issues in the estc-pr-buildkite-detective workflow where PR association and safe output handling could fail.

What changed

• Bot allowlist: Added buildkite-limited-access[bot] alongside the configurable allowed-bot-users input.
• noop safe-output: Declared noop under safe-outputs so the agent can emit it when no PR can be resolved.
• Status-event commit SHA extraction: For status events, switched to .commit.sha rather than .sha.
• Event context extraction: Added:
  • check_run: BK_PR_NUMBERS from .check_run.pull_requests[].number, BK_TARGET_URL from .check_run.details_url
  • status: BK_BRANCHES from .branches[].name, BK_TARGET_URL from .target_url
• jq null-safety: Added // [] fallback for .branches and .check_run.pull_requests arrays to prevent errors when these fields are null.
• BK_PR_NUMBERS empty handling: Emits an empty string instead of [] when no pull requests are present, so downstream "non-empty" checks are unambiguous.
• PR discovery flow (Step 1): Updated to prefer event-provided PR numbers (check_run) and otherwise fall back to gh api repos/{repo}/commits/{sha}/pulls plus branch matching (status), instead of listing all open PRs and matching only head.sha. Results from commits/{sha}/pulls are now filtered to keep only PRs with state == "open" and matching head.ref, preventing misrouting to closed or historical PRs.
• Prompt context additions: The context now includes:

- **Target URL**: $\{\{ env.BK_TARGET_URL }}
- **PR Numbers**: $\{\{ env.BK_PR_NUMBERS }}
- **Branches**: $\{\{ env.BK_BRANCHES }}

Also includes the corresponding compiled lockfile updates.

---

The body of this PR is automatically managed by the Trigger Update PR Body workflow.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[v1v]

This is not correct, the .sha points to the workflow reference

It should point to the branch from the PR.

For instance, see #632 (comment)

[v1v]

https://docs.github.com/en/actions/reference/workflows-and-actions/contexts

github.sha | string | The commit SHA that triggered the workflow. The value of this commit SHA depends on the event that triggered the workflow. For more information, see Events that trigger workflows. For example, ffac537e6cbbf934b08745a378932722df287a53.
-- | -- | --


github.sha	string	The commit SHA that triggered the workflow. The value of this commit SHA depends on the event that triggered the workflow. For more information, see [Events that trigger workflows](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows). For example, ffac537e6cbbf934b08745a378932722df287a53.

[Copilot]

Fixed in 24933f3. For status events, BK_COMMIT_SHA now extracts the PR branch commit from .branches[] by filtering out the default branch (read from .repository.default_branch), falling back to .sha only when no non-default branch is present.

[strawgate]

@copilot please address feedback

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4088b5fd-5436-4126-9151-4e2cdb174f7b

📥 Commits

Reviewing files that changed from the base of the PR and between 9726469 and 1d5daa1.

📒 Files selected for processing (2)

• .github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml
• .github/workflows/gh-aw-estc-pr-buildkite-detective.md

---

📝 Walkthrough

Walkthrough

Adds Buildkite context variables (BK_BRANCHES, BK_PR_NUMBERS, BK_TARGET_URL) and propagates them through prompt rendering and placeholder substitution; prefers explicit PR numbers when present, otherwise resolves PRs via GitHub commit- and branch-based queries and noops with a standard message if none found. Appends buildkite-limited-access[bot] to allowed-bots, adds a noop safe-output, and expands investigation into two paths (MCP/API access vs public Buildkite page fallback) for evidence collection.

Possibly related PRs

• Split out Elastic-specific workflows with estc- prefix #431: Direct edits to the same gh-aw-estc-pr-buildkite-detective workflow file and related Buildkite context propagation.
• Fix PR Buildkite Detective for status/check_run failures #422: Overlaps PR-resolution logic for resolving PRs from commit SHAs and branch/context data.
• Support public Buildkite pipelines in pr-buildkite-detective #427: Implements or modifies the Buildkite public-fallback vs API/MCP investigation flow and log-evidence collection.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	PR addresses all objectives from issue #632: bot allowlist fix, noop safe-output declaration, event field extraction (BK_PR_NUMBERS, BK_BRANCHES, BK_TARGET_URL), and PR discovery logic improvements.
Out of Scope Changes check	✅ Passed	All changes are scoped to issue #632 requirements: workflow configuration updates, bot allowlist, safe-output declarations, and PR discovery logic.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/fix-buildkite-config-issues

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Requesting changes: PR association in Step 1 still needs candidate validation to avoid selecting unrelated historical PRs from commits/{sha}/pulls.

---

What is this? | From workflow: Trigger PR Review

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

gh api repos/.../commits/{commit_sha}/pulls can return closed/historical PR associations, so treating any result as the target PR may mis-route analysis to the wrong PR for status events.

In the exact failure mode this PR is fixing (status SHA not equal to current PR head), this step can still stop on an unrelated merged PR and never reach branch-based open-PR matching. Please require candidate validation (e.g., open state and/or head.ref match against BK_BRANCHES) before accepting commit-associated PRs, and fall back when none validate.

[strawgate]

@copilot please address feedback

[Copilot]

@copilot please address feedback

Addressed in 95a73f1. Simplified the commit SHA extraction for status events to use .commit.sha from the event payload (as @v1v identified), replacing the overcomplicated .branches[] workaround.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/gh-aw-estc-pr-buildkite-detective.md:
- Around line 103-106: The jq expressions that set BK_BRANCHES and the later PR
extraction read arrays that may be null; update the echo lines that build
BK_BRANCHES and BK_PR_NUMBERS to defensively extract arrays using the optional
iterator and a default empty array (e.g., use .branches[]? and/or wrap with //
[]), and do the same for any `.pull_requests` or similar array extractions
reading from GITHUB_EVENT_PATH so iterations over BK_BRANCHES and BK_PR_NUMBERS
never break on null.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: faeef151-0896-4f83-9e4c-a9cc53b3a5da

📥 Commits

Reviewing files that changed from the base of the PR and between 530cc72 and 9726469.

📒 Files selected for processing (2)

• .github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml
• .github/workflows/gh-aw-estc-pr-buildkite-detective.md

[strawgate]

/ai please address feedback

[strawgate]

@copilot please address feedback

[Copilot]

@copilot please address feedback

Addressed all review feedback in 9deb89a:

1. jq null-safety: .branches and .pull_requests now use // [] fallback to avoid errors on null arrays
2. BK_PR_NUMBERS: Emits empty string instead of [] when no PRs, so the downstream "non-empty" check is unambiguous
3. PR candidate validation: commits/{sha}/pulls results are now filtered for state == "open" and head.ref matching BK_BRANCHES before accepting, preventing misrouting to closed/historical PRs

[github-actions]

The branch-only fallback can mis-associate unrelated PRs when multiple open PRs share the same head.ref (common with forks or generic branch names like main/fix-ci).

In this path, candidates are matched only by branch name from BK_BRANCHES, which doesn’t include repo owner/context. That can route analysis/comments to the wrong PR.

Please add a disambiguation requirement in the fallback (for example: match head.repo.full_name and/or verify candidate head.sha/status target_url context before accepting).