feat: implement issue #326 — Compliance: non-stub-dependabot-automerge.yml#339
feat: implement issue #326 — Compliance: non-stub-dependabot-automerge.yml#339don-petry wants to merge 2 commits into
Conversation
| # compliance-ci-trigger | ||
| # ci-trigger-298 | ||
| .dev-lead/ | ||
| .dev-lead/ |
|
Warning Review limit reached
More reviews will be available in 59 minutes and 20 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8a4dbd1042
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| contents: read | ||
| pull-requests: read | ||
| uses: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@v2 | ||
| uses: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@v1 |
There was a problem hiding this comment.
Keep Dependabot reusable workflow pinned to v2
This change downgrades the caller from @v2 to @v1, which conflicts with this file’s own source-of-truth guidance (SOURCE OF TRUTH and You MUST NOT change ... the uses: line in the header). Pinning to an older major version can silently drop org-level fixes/policy updates in the reusable workflow, causing this repo’s Dependabot auto-merge behavior to diverge from the standardized configuration expected by the rest of the organization.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
This PR addresses compliance issue #326 by updating the repository’s Dependabot auto-merge workflow stub to reference the org-standard reusable workflow pin (@v1).
Changes:
- Updated
.github/workflows/dependabot-automerge.ymlto usepetry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@v1. - Added an additional
.dev-lead/entry to.gitignore(now duplicated).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.gitignore |
Adds another .dev-lead/ ignore entry (currently results in duplication). |
.github/workflows/dependabot-automerge.yml |
Pins the Dependabot auto-merge reusable workflow to @v1 for compliance. |
|
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 603d63dd95e28ac71afc9808ee1c151eb75528bf
Review mode: triage-approved (single reviewer)
Summary
Small compliance PR addressing issue #326. The substantive change pins the dependabot-automerge.yml reusable workflow reference from @v2 to @v1 (org standard). Remaining changes are a prettier auto-fix pass on ci-failure-analyst.yml (quote style only) and a duplicate .dev-lead/ line in .gitignore. Triage assessment confirmed.
Linked issue analysis
Closes #326 — "Compliance: non-stub-dependabot-automerge.yml". The issue requires that .github/workflows/dependabot-automerge.yml delegate to petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@v1. The diff matches this exactly: the @v2 reference is replaced with @v1. ✓
Findings
.github/workflows/dependabot-automerge.yml— Correctly pins reusable workflow to@v1per org standard. No issues..github/workflows/ci-failure-analyst.yml— Prettier auto-fix (double quotes → single quotes, inline comment spacing). No semantic change..gitignore— Adds.dev-lead/on line 13 even though it already exists on line 12. Harmless (git deduplicates ignore patterns) but cosmetic; worth removing in a follow-up. Multiple AI reviewers (Gemini, Codex, Copilot) flagged this. Not blocking.
No security concerns, no auth/secrets/migration touches, no new dependencies, no permissions changes beyond comment reformatting.
CI status
All checks green: CodeQL (actions, javascript-typescript, python), CodeRabbit, SonarQube quality gate passed (0 new issues, 0 security hotspots). Mergeable; merge state currently BLOCKED only on the required org-leads review.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
|
Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead. |
Pull request was closed



Closes #326
Implemented by dev-lead agent. Please review.