fix(ci): skip certain jobs on github-actions bot PRs

[juliajohannesen]

#1036 is currently stuck on some CI jobs as a result of CodeQL, pre-commit, and Zizmor not working when the PR author is github-actions[bot]. This PR allows them to be skipped in that case, but adds policy-bot to enforce that.

One question is if any work needs to be done to apply the same restrictions laid out in this part of our terraform config for this repository.

[zerok]

I'm slightly confused as to why these workflows aren't triggered. At least the codeql one has ready_for_review as trigger but the others don't. Wouldn't it be easier to just add that trigger there too?

[juliajohannesen]

I assume for the same reason as github/codeql-action#2858? Unless that's specific to dependabot.

[zerok]

That's the point of having these release PRs marked as draft first. Then someone goes in and moves them to "ready for review" and the jobs should be triggered 🙂

[juliajohannesen]

I'm pretty sure it was still waiting on CodeQL to pass even after the actions ran via ready_for_review- presumably because they're integrated as part of the platform?

[guicaulada]

Hey, I think Horst has a point here, if adding the ready_for_review trigger to all actions would work then I think that's a better approach.

Currently, only the pre-commit workflow is not running when we "undraft" the PR.

CodeQL and other workflows would run.