Skip to content

fix: add workflow_dispatch trigger to dependabot-rebase workflow#130

Closed
don-petry wants to merge 1 commit into
mainfrom
feat/dependabot-rebase-dispatch
Closed

fix: add workflow_dispatch trigger to dependabot-rebase workflow#130
don-petry wants to merge 1 commit into
mainfrom
feat/dependabot-rebase-dispatch

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Adds workflow_dispatch to allow manual triggering of the Dependabot rebase workflow to flush the PR queue after batch updates. See petry-projects/.github#139

Copilot AI review requested due to automatic review settings April 16, 2026 13:13
@sonarqubecloud

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a manual trigger to the repository’s Dependabot rebase “thin caller stub” workflow so maintainers can run the Dependabot rebase/merge process on-demand (e.g., after large batch updates) without needing a push to main.

Changes:

  • Add workflow_dispatch trigger to the Dependabot rebase workflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@coderabbitai

coderabbitai Bot commented Apr 16, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 57 minutes and 46 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 57 minutes and 46 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c847ad63-ab2d-4ed4-86b1-8f45df4551b8

📥 Commits

Reviewing files that changed from the base of the PR and between 054d65e and c4424fe.

📒 Files selected for processing (1)
  • .github/workflows/dependabot-rebase.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/dependabot-rebase-dispatch

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry don-petry left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — NEEDS HUMAN REVIEW

Risk: MEDIUM
Reviewed commit: c4424fe9f1ed5fca514ee6f3a9b71a9bc4115a98
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

PR adds a workflow_dispatch trigger to a thin-caller Dependabot rebase workflow that the file's own header comment explicitly forbids editing ('You MUST NOT change: trigger event'; 'Adopt verbatim' — changes belong in the upstream reusable at petry-projects/.github). Direct security impact of workflow_dispatch is low (no inputs, job-level permissions are read-only, requires repo write access, concurrency group prevents races), but standards compliance fails and the pnpm audit gate is FAILURE. Rounding up on uncertainty and escalating for human review.

Findings

Major

  • standards-compliance · .github/workflows/dependabot-rebase.yml:31 — Edits a file whose own AGENTS header (lines 1-19) states it is a thin caller stub that must be adopted verbatim and explicitly lists the trigger event as MUST NOT CHANGE. Policy directs that any behavioral changes be made in the upstream reusable workflow (petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml). This local override bypasses centralized governance and will drift from org standards.
  • ci-gate-failure — Required check 'dependency-audit / pnpm audit' is FAILURE. mergeStateStatus is BLOCKED. Likely pre-existing dependency vulnerabilities unrelated to this PR, but the gate is not green and must be addressed before merge.

Minor

  • github-actions-security · .github/workflows/dependabot-rebase.yml:31 — Adds workflow_dispatch with no inputs. Manual dispatch requires repo write access and the job-level permissions are read-only (contents: read, pull-requests: read); the merge capability flows from secrets: inherit (APP_ID / APP_PRIVATE_KEY) into the reusable. No expression injection surface is introduced because there are no dispatch inputs. Residual risk: any actor with repo write (or a compromised PAT with actions:write) can now on-demand trigger the Dependabot auto-merge pipeline instead of waiting for a push to main. Concurrency group 'dependabot-update-and-merge' with cancel-in-progress:false mitigates race abuse.

Info

  • scope · .github/workflows/dependabot-rebase.yml — Diff is +2/-0, one file, no code, no secrets added, no new third-party actions, no dependency bumps, no permission escalation at the workflow or job level. No authN/authZ, input validation, crypto, data exposure, or supply chain concerns identified.

CI status

mergeStateStatus is BLOCKED — required check 'dependency-audit / pnpm audit' is FAILURE.


Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@don-petry

Copy link
Copy Markdown
Contributor Author

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

  • [major] .github/workflows/dependabot-rebase.yml:31 — Edits a file whose own AGENTS header (lines 1-19) states it is a thin caller stub that must be adopted verbatim and explicitly lists the trigger event as MUST NOT CHANGE. Policy directs that any behavioral changes be made in the upstream reusable workflow (petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml). This local override bypasses centralized governance and will drift from org standards.
  • [major] — Required check 'dependency-audit / pnpm audit' is FAILURE. mergeStateStatus is BLOCKED. Likely pre-existing dependency vulnerabilities unrelated to this PR, but the gate is not green and must be addressed before merge.
  • [minor] .github/workflows/dependabot-rebase.yml:31 — Adds workflow_dispatch with no inputs. Manual dispatch requires repo write access and the job-level permissions are read-only (contents: read, pull-requests: read); the merge capability flows from secrets: inherit (APP_ID / APP_PRIVATE_KEY) into the reusable. No expression injection surface is introduced because there are no dispatch inputs. Residual risk: any actor with repo write (or a compromised PAT with actions:write) can now on-demand trigger the Dependabot auto-merge pipeline instead of waiting for a push to main. Concurrency group 'dependabot-update-and-merge' with cancel-in-progress:false mitigates race abuse.

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on main if the branch is behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Superseded by # which adopts the full standard verbatim including workflow_dispatch and the corrected SHA.

@don-petry don-petry closed this Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants