-
Notifications
You must be signed in to change notification settings - Fork 1
fix: use GITHUB_TOKEN for dependabot rebase workflow #126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,62 @@ | ||||||||
| # Dependabot rebase workflow | ||||||||
| # Copy to .github/workflows/dependabot-rebase.yml | ||||||||
| # | ||||||||
| # Problem: when branch protection requires branches to be up-to-date | ||||||||
| # (strict status checks), merging one Dependabot PR makes the others fall | ||||||||
| # behind. Dependabot does not auto-rebase PRs that are merely behind — it | ||||||||
| # only rebases on its next scheduled run or when there are merge conflicts. | ||||||||
| # This leaves auto-merge stalled until the next weekly Dependabot run. | ||||||||
| # | ||||||||
| # Solution: after every push to main (typically a merged PR), this workflow | ||||||||
| # finds open Dependabot PRs that are behind and asks Dependabot to rebase | ||||||||
| # them via the @dependabot rebase command. Dependabot performs the rebase | ||||||||
| # with its own commit signature, preserving the automerge workflow's ability | ||||||||
| # to verify the PR author. | ||||||||
| # | ||||||||
| # Important: never use the GitHub API update-branch endpoint to rebase | ||||||||
| # Dependabot PRs — it replaces Dependabot's commit signature with GitHub's, | ||||||||
| # which breaks dependabot/fetch-metadata verification and causes Dependabot | ||||||||
| # to refuse future rebases on that PR. | ||||||||
| name: Dependabot rebase behind PRs | ||||||||
|
|
||||||||
| on: | ||||||||
| push: | ||||||||
| branches: | ||||||||
| - main | ||||||||
|
|
||||||||
| permissions: {} | ||||||||
|
|
||||||||
| jobs: | ||||||||
| rebase: | ||||||||
| runs-on: ubuntu-latest | ||||||||
| permissions: | ||||||||
| contents: read | ||||||||
| pull-requests: write | ||||||||
| steps: | ||||||||
| - name: Rebase behind Dependabot PRs | ||||||||
| env: | ||||||||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||||||||
| REPO: ${{ github.repository }} | ||||||||
| run: | | ||||||||
| # Find open Dependabot PRs | ||||||||
| PRS=$(gh pr list --repo "$REPO" --author "app/dependabot" \ | ||||||||
| --json number,headRefName \ | ||||||||
| --jq '.[] | "\(.number) \(.headRefName)"') | ||||||||
|
|
||||||||
| if [[ -z "$PRS" ]]; then | ||||||||
| echo "No open Dependabot PRs" | ||||||||
| exit 0 | ||||||||
| fi | ||||||||
|
|
||||||||
| while IFS=' ' read -r PR_NUMBER HEAD_REF; do | ||||||||
| BEHIND=$(gh api "repos/$REPO/compare/main...$HEAD_REF" \ | ||||||||
|
||||||||
| BEHIND=$(gh api "repos/$REPO/compare/main...$HEAD_REF" \ | |
| ENCODED_HEAD_REF=$(python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1], safe=""))' "$HEAD_REF") | |
| BEHIND=$(gh api "repos/$REPO/compare/main...$ENCODED_HEAD_REF" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The header comment
Copy to .github/workflows/dependabot-rebase.ymlis misleading now that this file already lives at that path. Consider removing or rewording it to describe the workflow’s purpose instead of implying it’s a template to be copied.