Skip to content

fix: use GITHUB_TOKEN for dependabot rebase workflow#126

Closed
don-petry wants to merge 2 commits into
mainfrom
fix/dependabot-rebase-permissions
Closed

fix: use GITHUB_TOKEN for dependabot rebase workflow#126
don-petry wants to merge 2 commits into
mainfrom
fix/dependabot-rebase-permissions

Conversation

@don-petry

@don-petry don-petry commented Apr 6, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Switches from GitHub App token to GITHUB_TOKEN with pull-requests: write for the @dependabot rebase comment
  • Dependabot requires the commenter to have push access as a user; GitHub App bot accounts are not recognized for this

Follows up on #125 where the initial implementation used the app token and Dependabot rejected the command.

Test plan

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Added a new GitHub Actions workflow that automatically rebases Dependabot pull requests whenever they fall behind the main branch. The workflow triggers on pushes to main, identifies outdated Dependabot PRs, and initiates automatic rebases to keep dependencies current.

DJ and others added 2 commits April 5, 2026 19:11
Triggers on push to main and comments @dependabot rebase on any
Dependabot PRs that have fallen behind, unblocking auto-merge when
strict status checks are enabled.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
GitHub Apps cannot issue @dependabot rebase — Dependabot requires the
commenter to have push access as a user, not an app installation. Switch
to GITHUB_TOKEN with pull-requests: write so github-actions[bot] posts
the comment.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 6, 2026 02:15
@coderabbitai

coderabbitai Bot commented Apr 6, 2026

Copy link
Copy Markdown

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow was added to automatically rebase Dependabot pull requests that fall behind the main branch. The workflow triggers on every push to main, queries open Dependabot PRs via GitHub API, checks each PR's commit distance from main, and posts a @dependabot rebase comment when needed.

Changes

Cohort / File(s) Summary
Dependabot rebase automation
.github/workflows/dependabot-rebase.yml
New workflow that triggers on pushes to main, fetches all open Dependabot PRs, compares each PR branch against main to determine how many commits it is behind, and posts a rebase comment when necessary.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

Suggested reviewers

  • Copilot
🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix: use GITHUB_TOKEN for dependabot rebase workflow' directly addresses the main change: replacing a GitHub App token with GITHUB_TOKEN in the workflow to fix permission issues.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/dependabot-rebase-permissions
⚔️ Resolve merge conflicts
  • Resolve merge conflict in branch fix/dependabot-rebase-permissions

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry don-petry closed this Apr 6, 2026
@don-petry don-petry deleted the fix/dependabot-rebase-permissions branch April 6, 2026 02:18

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Dependabot rebase automation workflow so it comments @dependabot rebase using the built-in GITHUB_TOKEN (with pull-requests: write), aligning with Dependabot’s requirement that the commenter has push access as a user.

Changes:

  • Configure the rebase workflow to authenticate gh via GITHUB_TOKEN.
  • Detect open Dependabot PRs that are behind main and comment @dependabot rebase to request a rebase.

fi

while IFS=' ' read -r PR_NUMBER HEAD_REF; do
BEHIND=$(gh api "repos/$REPO/compare/main...$HEAD_REF" \

Copilot AI Apr 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HEAD_REF from Dependabot PRs typically contains slashes (e.g. dependabot/npm_and_yarn/...). Using it unescaped inside the REST path compare/main...$HEAD_REF will produce an invalid URL (extra path segments), causing gh api to 404 and the step to fail under the default bash -e runner shell. URL-encode the ref before calling the compare endpoint (or fetch the behind count via a PR/GraphQL field that doesn't require embedding the ref in the URL path).

Suggested change
BEHIND=$(gh api "repos/$REPO/compare/main...$HEAD_REF" \
ENCODED_HEAD_REF=$(python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1], safe=""))' "$HEAD_REF")
BEHIND=$(gh api "repos/$REPO/compare/main...$ENCODED_HEAD_REF" \

Copilot uses AI. Check for mistakes.
@@ -0,0 +1,62 @@
# Dependabot rebase workflow
# Copy to .github/workflows/dependabot-rebase.yml

Copilot AI Apr 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The header comment Copy to .github/workflows/dependabot-rebase.yml is misleading now that this file already lives at that path. Consider removing or rewording it to describe the workflow’s purpose instead of implying it’s a template to be copied.

Suggested change
# Copy to .github/workflows/dependabot-rebase.yml
# Rebases open Dependabot PRs that have fallen behind main after pushes.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants