Skip to content

chore: update dependabot-rebase-reusable SHA (fix update-branch + mergeable)#251

Merged
don-petry merged 8 commits into
mainfrom
chore/update-dependabot-rebase-sha
May 5, 2026
Merged

chore: update dependabot-rebase-reusable SHA (fix update-branch + mergeable)#251
don-petry merged 8 commits into
mainfrom
chore/update-dependabot-rebase-sha

Conversation

@don-petry

@don-petry don-petry commented May 4, 2026

Copy link
Copy Markdown
Collaborator

Updates the dependabot-rebase-reusable.yml caller SHA to b51e2ed.

Changes in new reusable workflow version:

  • Fix: switch from @dependabot rebase comments (rejected by Dependabot when posted by a GitHub App bot) to update-branch API with APP_TOKEN
  • Fix: use GitHub's native mergeable state instead of checking all check conclusions (avoids blocking on non-required failing checks like gitleaks false positives)

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions workflow configuration to enhance automation infrastructure.

Fix: use update-branch API with APP_TOKEN instead of @dependabot rebase
Fix: trust GitHub mergeable state instead of checking all checks
Copilot AI review requested due to automatic review settings May 4, 2026 20:10
@coderabbitai

coderabbitai Bot commented May 4, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 19 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8dd62904-4eed-4283-aff7-170c5b5b4a95

📥 Commits

Reviewing files that changed from the base of the PR and between 076c45d and 6054a1a.

📒 Files selected for processing (1)
  • .github/workflows/dependabot-rebase.yml
📝 Walkthrough

Walkthrough

Commit SHA reference for the dependabot-rebase reusable workflow is updated from 3ac78a9b0a7b5bcf0b9a62c284129f3abffdebaa to b51e2edf830ea085be0277bcf3174c7b3ec8f958 in the GitHub Actions workflow configuration file.

Changes

Workflow Dependency Update

Layer / File(s) Summary
Workflow Reference
.github/workflows/dependabot-rebase.yml
Reusable workflow commit SHA bumped to point to a newer version; all surrounding job configuration (triggers, concurrency, permissions, secrets) remains unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically identifies the main change: updating a SHA for the dependabot-rebase-reusable workflow with specific improvements (update-branch API and mergeable state fixes).
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/update-dependabot-rebase-sha

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the pinned commit SHA for the org-level dependabot-rebase-reusable.yml GitHub Actions reusable workflow so this repo picks up upstream fixes (moving from comment-based rebases to the update-branch API, and using GitHub’s native mergeable state).

Changes:

  • Bump petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml reference from 3ac78a9… to b51e2ed….

Comment thread .github/workflows/dependabot-rebase.yml Outdated
@github-actions github-actions Bot requested a review from a team as a code owner May 4, 2026 20:39

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-rebase.yml:
- Around line 43-44: Update the inline comment next to the "pull-requests:
write" permission and the "uses:
petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@..."
line to reflect that this reusable workflow now uses the "update-branch" API
path rather than posting "@dependabot rebase" comments; locate the comment
adjacent to the pull-requests permission declaration and the uses reference and
replace the stale rationale with a brief note stating it uses the update-branch
API to update branches and re-approve PRs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 765cb244-cee4-48cd-8a03-0596fac2d271

📥 Commits

Reviewing files that changed from the base of the PR and between 32541b8 and 076c45d.

📒 Files selected for processing (1)
  • .github/workflows/dependabot-rebase.yml

Comment thread .github/workflows/dependabot-rebase.yml Outdated
… API

Addresses reviewer feedback: the inline comment on pull-requests: write
still referenced @dependabot rebase (the old mechanism). The reusable
workflow now uses the update-branch API with APP_TOKEN instead.
@sonarqubecloud

sonarqubecloud Bot commented May 5, 2026

Copy link
Copy Markdown

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 6054a1a4d10ef512795a0cecbf096124972479f2
Cascade: triage → audit (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6)

Summary

SHA bump from 3ac78a9 to b51e2ed in org-owned petry-projects/.github reusable workflow. The new SHA is a 2-commit forward progression authored by the same PR author (don-petry), fixing a broken @dependabot rebase approach by switching to the update-branch API with APP_TOKEN. No new secrets introduced, no expression injection patterns, all actions pinned by SHA, and all 25 CI checks pass.

Findings

  • INFO: New SHA b51e2ed is 2 commits ahead of old SHA 3ac78a9 in petry-projects/.github (status: 'ahead', behind_by: 0). Both authored by don-petry. Commit message: 'fix: use update-branch API with APP_TOKEN; trust GitHub mergeable state'. This is a legitimate forward progression, not a divergent or unrelated commit.
  • INFO: APP_ID and APP_PRIVATE_KEY are forwarded via explicit secrets: mapping (not secrets: inherit). The private key is consumed only by actions/create-github-app-token@1b10c78c (verified as v3.1.1, first-party GitHub action) to generate a short-lived installation token. The token is passed via env var (GH_TOKEN="$APP_TOKEN"), never interpolated in ${{ }} expressions within run: blocks. This pattern is unchanged from the old SHA.
  • INFO: The reusable workflow has zero ${{ }} expressions in run: blocks. All dynamic values (GH_TOKEN, APP_TOKEN, REPO) are injected via env: blocks, and shell variables (PR_NUMBER, HEAD_REF, BEHIND) come from gh CLI output filtered to app/dependabot-authored PRs only. No user-controllable input reaches shell evaluation.
  • INFO: Caller workflow triggers on push:main and workflow_dispatch — both safe triggers. Top-level permissions: {} with job-level pull-requests: write only. Concurrency group prevents parallel runs. No pull_request_target trigger.
  • INFO: Switching from GitHub mergeable state (which respects branch protection rules and required checks) is actually more secure than the old approach of manually checking individual check conclusions — it defers to GitHub's enforcement layer rather than reimplementing it in shell. The CHECKS_PENDING guard prevents premature merging while CI is in-flight.

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@don-petry don-petry merged commit 82a2d55 into main May 5, 2026
34 checks passed
@don-petry don-petry deleted the chore/update-dependabot-rebase-sha branch May 5, 2026 02:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants