fix: add workflow_dispatch trigger to dependabot-rebase workflow#130
fix: add workflow_dispatch trigger to dependabot-rebase workflow#130don-petry wants to merge 1 commit into
Conversation
|
There was a problem hiding this comment.
Pull request overview
Adds a manual trigger to the repository’s Dependabot rebase “thin caller stub” workflow so maintainers can run the Dependabot rebase/merge process on-demand (e.g., after large batch updates) without needing a push to main.
Changes:
- Add
workflow_dispatchtrigger to the Dependabot rebase workflow.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 57 minutes and 46 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
don-petry
left a comment
There was a problem hiding this comment.
Automated review — NEEDS HUMAN REVIEW
Risk: MEDIUM
Reviewed commit: c4424fe9f1ed5fca514ee6f3a9b71a9bc4115a98
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)
Summary
PR adds a workflow_dispatch trigger to a thin-caller Dependabot rebase workflow that the file's own header comment explicitly forbids editing ('You MUST NOT change: trigger event'; 'Adopt verbatim' — changes belong in the upstream reusable at petry-projects/.github). Direct security impact of workflow_dispatch is low (no inputs, job-level permissions are read-only, requires repo write access, concurrency group prevents races), but standards compliance fails and the pnpm audit gate is FAILURE. Rounding up on uncertainty and escalating for human review.
Findings
Major
standards-compliance·.github/workflows/dependabot-rebase.yml:31— Edits a file whose own AGENTS header (lines 1-19) states it is a thin caller stub that must be adopted verbatim and explicitly lists the trigger event as MUST NOT CHANGE. Policy directs that any behavioral changes be made in the upstream reusable workflow (petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml). This local override bypasses centralized governance and will drift from org standards.ci-gate-failure— Required check 'dependency-audit / pnpm audit' is FAILURE. mergeStateStatus is BLOCKED. Likely pre-existing dependency vulnerabilities unrelated to this PR, but the gate is not green and must be addressed before merge.
Minor
github-actions-security·.github/workflows/dependabot-rebase.yml:31— Adds workflow_dispatch with no inputs. Manual dispatch requires repo write access and the job-level permissions are read-only (contents: read, pull-requests: read); the merge capability flows from secrets: inherit (APP_ID / APP_PRIVATE_KEY) into the reusable. No expression injection surface is introduced because there are no dispatch inputs. Residual risk: any actor with repo write (or a compromised PAT with actions:write) can now on-demand trigger the Dependabot auto-merge pipeline instead of waiting for a push to main. Concurrency group 'dependabot-update-and-merge' with cancel-in-progress:false mitigates race abuse.
Info
scope·.github/workflows/dependabot-rebase.yml— Diff is +2/-0, one file, no code, no secrets added, no new third-party actions, no dependency bumps, no permission escalation at the workflow or job level. No authN/authZ, input validation, crypto, data exposure, or supply chain concerns identified.
CI status
mergeStateStatus is BLOCKED — required check 'dependency-audit / pnpm audit' is FAILURE.
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
Review — fix requested (cycle 1/3)The automated review identified the following issues. Please address each one: Findings to fix
Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
|
Superseded by # which adopts the full standard verbatim including workflow_dispatch and the corrected SHA. |



Adds
workflow_dispatchto allow manual triggering of the Dependabot rebase workflow to flush the PR queue after batch updates. See petry-projects/.github#139