Skip to content

fix: use GITHUB_TOKEN for dependabot rebase comments#127

Merged
don-petry merged 1 commit into
mainfrom
fix/dependabot-rebase-token
Apr 6, 2026
Merged

fix: use GITHUB_TOKEN for dependabot rebase comments#127
don-petry merged 1 commit into
mainfrom
fix/dependabot-rebase-token

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Summary

  • Switches from GitHub App token to GITHUB_TOKEN with pull-requests: write
  • Removes the create-github-app-token step (no secrets needed)
  • Dependabot requires commenters to have push access as a recognized user; GitHub App bots are rejected

Follows up on #125 where the app token approach was rejected by Dependabot.

Test plan

🤖 Generated with Claude Code

Dependabot requires the commenter to have push access as a recognized
user. GitHub App bot accounts are rejected. Switch to GITHUB_TOKEN
with pull-requests: write so github-actions[bot] posts the comment.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 6, 2026 02:19
@coderabbitai

coderabbitai Bot commented Apr 6, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 27 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 6 minutes and 27 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3079cc8f-83c6-4e7b-a370-d8ca5fba6a46

📥 Commits

Reviewing files that changed from the base of the PR and between d6e7072 and 663e659.

📒 Files selected for processing (1)
  • .github/workflows/dependabot-rebase.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/dependabot-rebase-token

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

sonarqubecloud Bot commented Apr 6, 2026

Copy link
Copy Markdown

@don-petry don-petry merged commit 332cc67 into main Apr 6, 2026
15 checks passed
@don-petry don-petry deleted the fix/dependabot-rebase-token branch April 6, 2026 02:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the existing Dependabot rebase automation to authenticate using the built-in GITHUB_TOKEN (with expanded job permissions) instead of generating a GitHub App installation token, reducing required repository secrets and aligning with Dependabot’s commenter acceptance constraints.

Changes:

  • Removes the actions/create-github-app-token step and related secret requirements.
  • Switches GH_TOKEN to use GITHUB_TOKEN.
  • Updates job permissions to grant pull-requests: write for posting rebase commands.

@@ -35,18 +31,11 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: read

Copilot AI Apr 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gh pr comment posts an issue-style comment on the PR conversation (Issues API), so pull-requests: write alone may still yield a 403. Add issues: write to the job permissions to ensure the workflow can create the @dependabot rebase comment.

Suggested change
contents: read
contents: read
issues: write

Copilot uses AI. Check for mistakes.
- name: Rebase behind Dependabot PRs
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Copilot AI Apr 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider using ${{ github.token }} instead of ${{ secrets.GITHUB_TOKEN }} for GH_TOKEN. It’s the same token but avoids implying a repository secret and matches the canonical context reference for the built-in token.

Suggested change
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ github.token }}

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants