fix: use GITHUB_TOKEN for dependabot rebase comments#127
Conversation
Dependabot requires the commenter to have push access as a recognized user. GitHub App bot accounts are rejected. Switch to GITHUB_TOKEN with pull-requests: write so github-actions[bot] posts the comment. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 6 minutes and 27 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
There was a problem hiding this comment.
Pull request overview
This PR updates the existing Dependabot rebase automation to authenticate using the built-in GITHUB_TOKEN (with expanded job permissions) instead of generating a GitHub App installation token, reducing required repository secrets and aligning with Dependabot’s commenter acceptance constraints.
Changes:
- Removes the
actions/create-github-app-tokenstep and related secret requirements. - Switches
GH_TOKENto useGITHUB_TOKEN. - Updates job permissions to grant
pull-requests: writefor posting rebase commands.
| @@ -35,18 +31,11 @@ jobs: | |||
| runs-on: ubuntu-latest | |||
| permissions: | |||
| contents: read | |||
There was a problem hiding this comment.
gh pr comment posts an issue-style comment on the PR conversation (Issues API), so pull-requests: write alone may still yield a 403. Add issues: write to the job permissions to ensure the workflow can create the @dependabot rebase comment.
| contents: read | |
| contents: read | |
| issues: write |
| - name: Rebase behind Dependabot PRs | ||
| env: | ||
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Consider using ${{ github.token }} instead of ${{ secrets.GITHUB_TOKEN }} for GH_TOKEN. It’s the same token but avoids implying a repository secret and matches the canonical context reference for the built-in token.
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_TOKEN: ${{ github.token }} |



Summary
GITHUB_TOKENwithpull-requests: writecreate-github-app-tokenstep (no secrets needed)Follows up on #125 where the app token approach was rejected by Dependabot.
Test plan
github-actions[bot]comment is accepted by Dependabot on PR chore(deps): bump SonarSource/sonarqube-scan-action from 7.0.0 to 7.1.0 #114🤖 Generated with Claude Code