Skip to content
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 13 additions & 9 deletions .github/workflows/dependabot-rebase.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,13 @@
# AGENTS — READ BEFORE EDITING:
# • This file is a THIN CALLER STUB. All rebase/merge serialization logic
# lives in the reusable workflow above.
# • You MAY change: nothing in this file in normal use. Adopt verbatim.
# • You MAY change: the SHA in the `uses:` line when upgrading the reusable
# workflow version (bump SHA to latest main of petry-projects/.github).

Copilot AI Apr 18, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The instruction to ‘bump SHA to latest main’ is easy to misread as endorsing tracking main (or an arbitrary commit) rather than a vetted release commit. To keep upgrades auditable/compliance-friendly, consider rewording this to explicitly say to bump to the SHA that corresponds to the intended released version (e.g., the commit for the v1 tag/release), and optionally include a link to the upstream release/changelog for verification.

Suggested change
# workflow version (bump SHA to latest main of petry-projects/.github).
# workflow version (bump to the SHA for the intended released version of
# petry-projects/.github, such as the commit for the `v1` tag/release).

Copilot uses AI. Check for mistakes.
# • You MUST NOT change: trigger event, the concurrency group name,
# the `uses:` line, `secrets: inherit`, or the job-level `permissions:`
# block — reusable workflows can be granted no more permissions than the
# calling job has, so removing the stanza breaks the reusable's gh API
# calls.
# the explicit secrets block, or the job-level `permissions:` block —
# reusable workflows can be granted no more permissions than the calling
# job has, so removing the stanza breaks
# the reusable's gh API calls.
# • If you need different behaviour, open a PR against the reusable in the
# central repo.
# ─────────────────────────────────────────────────────────────────────────────
Expand All @@ -27,6 +28,7 @@ on:
push:
branches:
- main
workflow_dispatch: # allow manual trigger to flush Dependabot PR queue

concurrency:
group: dependabot-update-and-merge
Expand All @@ -37,7 +39,9 @@ permissions: {}
jobs:
dependabot-rebase:
permissions:
contents: read
pull-requests: read
uses: petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@v1
secrets: inherit
contents: write # update-branch via GITHUB_TOKEN (may touch .github/workflows/)
pull-requests: write # re-approve PRs after branch update
uses: petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@3c6335c6ee3e2f1a37f3e27e065e28d36d9c0dde # v1
secrets:
APP_ID: ${{ secrets.APP_ID }}
APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
Loading