chore: update dependabot-rebase-reusable SHA (fix update-branch + mergeable)#251
Conversation
Fix: use update-branch API with APP_TOKEN instead of @dependabot rebase Fix: trust GitHub mergeable state instead of checking all checks
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughCommit SHA reference for the ChangesWorkflow Dependency Update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Updates the pinned commit SHA for the org-level dependabot-rebase-reusable.yml GitHub Actions reusable workflow so this repo picks up upstream fixes (moving from comment-based rebases to the update-branch API, and using GitHub’s native mergeable state).
Changes:
- Bump
petry-projects/.github/.github/workflows/dependabot-rebase-reusable.ymlreference from3ac78a9…tob51e2ed….
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/dependabot-rebase.yml:
- Around line 43-44: Update the inline comment next to the "pull-requests:
write" permission and the "uses:
petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@..."
line to reflect that this reusable workflow now uses the "update-branch" API
path rather than posting "@dependabot rebase" comments; locate the comment
adjacent to the pull-requests permission declaration and the uses reference and
replace the stale rationale with a brief note stating it uses the update-branch
API to update branches and re-approve PRs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 765cb244-cee4-48cd-8a03-0596fac2d271
📒 Files selected for processing (1)
.github/workflows/dependabot-rebase.yml
… API Addresses reviewer feedback: the inline comment on pull-requests: write still referenced @dependabot rebase (the old mechanism). The reusable workflow now uses the update-branch API with APP_TOKEN instead.
|
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 6054a1a4d10ef512795a0cecbf096124972479f2
Cascade: triage → audit (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6)
Summary
SHA bump from 3ac78a9 to b51e2ed in org-owned petry-projects/.github reusable workflow. The new SHA is a 2-commit forward progression authored by the same PR author (don-petry), fixing a broken @dependabot rebase approach by switching to the update-branch API with APP_TOKEN. No new secrets introduced, no expression injection patterns, all actions pinned by SHA, and all 25 CI checks pass.
Findings
- INFO: New SHA b51e2ed is 2 commits ahead of old SHA 3ac78a9 in petry-projects/.github (status: 'ahead', behind_by: 0). Both authored by don-petry. Commit message: 'fix: use update-branch API with APP_TOKEN; trust GitHub mergeable state'. This is a legitimate forward progression, not a divergent or unrelated commit.
- INFO: APP_ID and APP_PRIVATE_KEY are forwarded via explicit secrets: mapping (not secrets: inherit). The private key is consumed only by actions/create-github-app-token@1b10c78c (verified as v3.1.1, first-party GitHub action) to generate a short-lived installation token. The token is passed via env var (GH_TOKEN="$APP_TOKEN"), never interpolated in ${{ }} expressions within run: blocks. This pattern is unchanged from the old SHA.
- INFO: The reusable workflow has zero ${{ }} expressions in run: blocks. All dynamic values (GH_TOKEN, APP_TOKEN, REPO) are injected via env: blocks, and shell variables (PR_NUMBER, HEAD_REF, BEHIND) come from gh CLI output filtered to app/dependabot-authored PRs only. No user-controllable input reaches shell evaluation.
- INFO: Caller workflow triggers on push:main and workflow_dispatch — both safe triggers. Top-level permissions: {} with job-level pull-requests: write only. Concurrency group prevents parallel runs. No pull_request_target trigger.
- INFO: Switching from GitHub mergeable state (which respects branch protection rules and required checks) is actually more secure than the old approach of manually checking individual check conclusions — it defers to GitHub's enforcement layer rather than reimplementing it in shell. The CHECKS_PENDING guard prevents premature merging while CI is in-flight.
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.



Updates the
dependabot-rebase-reusable.ymlcaller SHA tob51e2ed.Changes in new reusable workflow version:
@dependabot rebasecomments (rejected by Dependabot when posted by a GitHub App bot) toupdate-branchAPI with APP_TOKENmergeablestate instead of checking all check conclusions (avoids blocking on non-required failing checks like gitleaks false positives)Summary by CodeRabbit