docs: address PR review feedback on bot-guard rationale and Dependabot workflow PRs

bindsi · bindsi · commit d5ff757866f2 · 2026-04-23T10:49:24.000+01:00
- pr-review.md: clarify that dependabot[bot] is skipped because dependency-pr-review
  owns automated review for dependency bumps (RI-1).
- CONTRIBUTING.md: document that Dependabot PRs bumping action SHAs inside
  .github/workflows/*.yml require manual maintainer review because GitHub strips
  secrets from workflow-file PRs (RI-3).
diff --git a/.github/workflows/pr-review.md b/.github/workflows/pr-review.md
@@ -67,6 +67,9 @@ Check the PR state from the event context.
 * The PR author (`github.event.pull_request.user.login`) is `dependabot[bot]`
   or `github-actions[bot]`: call `noop` with message "Skipping: PR authored by
   bot." Keep this list aligned with the `skip-bots` frontmatter entry above.
+  Dependabot PRs are handed off to the `dependency-pr-review` workflow, which
+  owns automated review for dependency bumps; this guard prevents duplicate
+  review from `pr-review`.
 
 **Failure to call `noop` when no review action is taken will cause workflow failure.**
 
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -91,6 +91,7 @@ We strongly recommend using the provided DevContainer, which comes pre-configure
   * [Artifact Types](#artifact-types)
   * [Essential Resources](#essential-resources)
   * [Quick Reference](#quick-reference)
+* [Dependabot Pull Requests](#dependabot-pull-requests)
 * [Pull Request Inactivity Policy](#pull-request-inactivity-policy)
   * [Active Pull Requests](#active-pull-requests)
   * [Draft Pull Requests](#draft-pull-requests)
@@ -242,6 +243,12 @@ Before contributing AI artifacts, review these resources:
 * Prompts directory: [`.github/prompts/`](./.github/prompts/)
 * Skills directory: [`.github/skills/`](./.github/skills/)
 
+## Dependabot Pull Requests
+
+Dependabot PRs are reviewed automatically by the `dependency-pr-review` workflow for most dependency manifests (`package.json`, `package-lock.json`, `requirements.txt`, `pyproject.toml`, and `.devcontainer/**`).
+
+PRs that bump pinned action SHAs inside `.github/workflows/*.yml` are **not** covered by the automated review because GitHub strips secrets from workflow-file PRs, which prevents the workflow from running. Maintainers must review and merge those workflow-file bumps manually, verifying SHA pinning, upstream release notes, and license compatibility before approval.
+
 ## Pull Request Inactivity Policy
 
 Pull requests that remain inactive accumulate merge conflicts and delay feedback loops. This section defines closure timelines for inactive PRs. Automation that enforces this policy is a separate effort that references these thresholds.
