fix: estc-pr-buildkite-detective bot allowlist, noop safe-output, and PR discovery

.github/workflows/gh-aw-estc-pr-buildkite-detective.md

@@ -64,6 +64,7 @@ on:
   roles: [admin, maintainer, write]
   bots:
     - "${{ inputs.allowed-bot-users }}"
+    - "buildkite-limited-access[bot]"
 concurrency:
   group: ${{ github.workflow }}-estc-pr-buildkite-detective-${{ github.run_id }}
   cancel-in-progress: false
@@ -88,6 +89,7 @@ network:
     - "buildkite.com"
 safe-outputs:
   activation-comments: false
+  noop:
 strict: false
 timeout-minutes: 30
 steps:
@@ -98,11 +100,17 @@ steps:
       if [ "$GITHUB_EVENT_NAME" = "status" ]; then
         echo "BK_EVENT_ID=$(jq -r '.id' "$GITHUB_EVENT_PATH")" >> "$GITHUB_ENV"
         echo "BK_FAILURE_STATE=$(jq -r '.state' "$GITHUB_EVENT_PATH")" >> "$GITHUB_ENV"
-        echo "BK_COMMIT_SHA=$(jq -r '.sha' "$GITHUB_EVENT_PATH")" >> "$GITHUB_ENV"
+        echo "BK_COMMIT_SHA=$(jq -r '.commit.sha' "$GITHUB_EVENT_PATH")" >> "$GITHUB_ENV"
+        echo "BK_TARGET_URL=$(jq -r '.target_url // empty' "$GITHUB_EVENT_PATH")" >> "$GITHUB_ENV"
+        echo "BK_BRANCHES=$(jq -c '[(.branches // [])[].name]' "$GITHUB_EVENT_PATH")" >> "$GITHUB_ENV"
+        echo "BK_PR_NUMBERS=" >> "$GITHUB_ENV"
       else
         echo "BK_EVENT_ID=$(jq -r '.check_run.id' "$GITHUB_EVENT_PATH")" >> "$GITHUB_ENV"
         echo "BK_FAILURE_STATE=$(jq -r '.check_run.conclusion' "$GITHUB_EVENT_PATH")" >> "$GITHUB_ENV"
         echo "BK_COMMIT_SHA=$(jq -r '.check_run.head_sha' "$GITHUB_EVENT_PATH")" >> "$GITHUB_ENV"
+        echo "BK_TARGET_URL=$(jq -r '.check_run.details_url // empty' "$GITHUB_EVENT_PATH")" >> "$GITHUB_ENV"
+        echo "BK_BRANCHES=" >> "$GITHUB_ENV"
+        echo "BK_PR_NUMBERS=$(jq -rc '[(.check_run.pull_requests // [])[].number] | if length == 0 then "" else . end' "$GITHUB_EVENT_PATH")" >> "$GITHUB_ENV"
       fi
   - name: Repo-specific setup
     if: ${{ inputs.setup-commands != '' }}
@@ -124,6 +132,9 @@ Analyze failed Buildkite CI builds for pull requests in ${{ github.repository }}
 - **Event ID**: ${{ env.BK_EVENT_ID }}
 - **Failure State**: ${{ env.BK_FAILURE_STATE }}
 - **Commit SHA**: ${{ env.BK_COMMIT_SHA }}
+- **Target URL**: ${{ env.BK_TARGET_URL }}
+- **PR Numbers**: ${{ env.BK_PR_NUMBERS }}
+- **Branches**: ${{ env.BK_BRANCHES }}
 - **Buildkite Organization**: ${{ inputs.buildkite-org }}
 
 ## Constraints
@@ -155,8 +166,11 @@ Classify each failure to guide your investigation:
 ### Step 1: Gather Context
 
 1. Use the commit SHA provided in the Context section above. If it is empty, discover it from the PR's commit statuses or check runs.
-2. Call `list_pull_requests` for the repository (open PRs), then call `pull_request_read` with method `get` on candidates and keep PRs where `head.sha` matches the failed commit SHA. If none match, call `noop` with message "No pull request associated with failed commit status; nothing to do" and stop.
-3. For each matching PR, keep author, branches, and fork status for downstream analysis.
+2. Find the associated pull request(s):
+   - If **PR Numbers** in the Context section above is non-empty (e.g., from `check_run` events), use those PR numbers directly with `pull_request_read` method `get`.
+   - Otherwise, use `bash` + `gh api repos/${{ github.repository }}/commits/{commit_sha}/pulls` to find PRs containing the commit SHA. Filter the results to keep only PRs whose `state` is `"open"` and, when **Branches** is available, whose `head.ref` matches one of the listed branches. If no candidates remain, also try searching open PRs whose head branch matches one of the **Branches** listed in the Context section.
+   - If no PR is found after all attempts, call `noop` with message "No pull request associated with failed commit status; nothing to do" and stop.
+3. For each matching PR, call `pull_request_read` with method `get` to capture the author, branches, and fork status for downstream analysis.
 
 ### Step 2: Find the Buildkite Build