fix: use GITHUB_TOKEN for dependabot rebase workflow#126
Conversation
Triggers on push to main and comments @dependabot rebase on any Dependabot PRs that have fallen behind, unblocking auto-merge when strict status checks are enabled. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
GitHub Apps cannot issue @dependabot rebase — Dependabot requires the commenter to have push access as a user, not an app installation. Switch to GITHUB_TOKEN with pull-requests: write so github-actions[bot] posts the comment. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Caution Review failedPull request was closed or merged during review 📝 WalkthroughWalkthroughA new GitHub Actions workflow was added to automatically rebase Dependabot pull requests that fall behind the main branch. The workflow triggers on every push to main, queries open Dependabot PRs via GitHub API, checks each PR's commit distance from main, and posts a Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
⚔️ Resolve merge conflicts
Comment |
There was a problem hiding this comment.
Pull request overview
Updates the Dependabot rebase automation workflow so it comments @dependabot rebase using the built-in GITHUB_TOKEN (with pull-requests: write), aligning with Dependabot’s requirement that the commenter has push access as a user.
Changes:
- Configure the rebase workflow to authenticate
ghviaGITHUB_TOKEN. - Detect open Dependabot PRs that are behind
mainand comment@dependabot rebaseto request a rebase.
| fi | ||
|
|
||
| while IFS=' ' read -r PR_NUMBER HEAD_REF; do | ||
| BEHIND=$(gh api "repos/$REPO/compare/main...$HEAD_REF" \ |
There was a problem hiding this comment.
HEAD_REF from Dependabot PRs typically contains slashes (e.g. dependabot/npm_and_yarn/...). Using it unescaped inside the REST path compare/main...$HEAD_REF will produce an invalid URL (extra path segments), causing gh api to 404 and the step to fail under the default bash -e runner shell. URL-encode the ref before calling the compare endpoint (or fetch the behind count via a PR/GraphQL field that doesn't require embedding the ref in the URL path).
| BEHIND=$(gh api "repos/$REPO/compare/main...$HEAD_REF" \ | |
| ENCODED_HEAD_REF=$(python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1], safe=""))' "$HEAD_REF") | |
| BEHIND=$(gh api "repos/$REPO/compare/main...$ENCODED_HEAD_REF" \ |
| @@ -0,0 +1,62 @@ | |||
| # Dependabot rebase workflow | |||
| # Copy to .github/workflows/dependabot-rebase.yml | |||
There was a problem hiding this comment.
The header comment Copy to .github/workflows/dependabot-rebase.yml is misleading now that this file already lives at that path. Consider removing or rewording it to describe the workflow’s purpose instead of implying it’s a template to be copied.
| # Copy to .github/workflows/dependabot-rebase.yml | |
| # Rebases open Dependabot PRs that have fallen behind main after pushes. |
Summary
GITHUB_TOKENwithpull-requests: writefor the@dependabot rebasecommentFollows up on #125 where the initial implementation used the app token and Dependabot rejected the command.
Test plan
github-actions[bot]comment is accepted by Dependabot🤖 Generated with Claude Code
Summary by CodeRabbit