fix: pin dependabot-rebase-reusable.yml to SHA#132
Conversation
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 54 minutes and 9 seconds.Comment |
|
@don-petry — PR is ready for your review and merge. This fixes the compliance finding by pinning the reusable workflow to its current SHA and syncing the file with the updated org template. |
There was a problem hiding this comment.
Pull request overview
Pins the Dependabot rebase reusable workflow reference to a commit SHA to satisfy the org action-pinning policy, while updating the caller stub to match the latest upstream template.
Changes:
- Pin reusable workflow call from
@v1to a full SHA. - Add
workflow_dispatchtrigger for manual runs. - Switch to explicit secret passing (
APP_ID/APP_PRIVATE_KEY) and elevate job permissions to write.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| workflow_dispatch: # allow manual trigger to flush Dependabot PR queue |
There was a problem hiding this comment.
Adding workflow_dispatch means this workflow (and its secrets + write-scoped GITHUB_TOKEN) can be manually run from any branch that contains the workflow file. That can bypass branch protection/code review expectations (a user with write access could push a branch with a modified workflow and dispatch it to exfiltrate APP_PRIVATE_KEY). Consider adding a job-level guard (e.g., only run when github.ref is refs/heads/main) so dispatch can’t execute on non-main refs.
| contents: write # update-branch via GITHUB_TOKEN (may touch .github/workflows/) | ||
| pull-requests: write # re-approve PRs after branch update |
There was a problem hiding this comment.
This change elevates the job’s token permissions to contents: write and pull-requests: write. If the reusable workflow primarily uses a GitHub App token (from APP_ID/APP_PRIVATE_KEY) for write operations, consider keeping the caller job’s GITHUB_TOKEN permissions at the minimum required (ideally read) to reduce blast radius (notably, contents: write can modify workflow files).
| contents: write # update-branch via GITHUB_TOKEN (may touch .github/workflows/) | |
| pull-requests: write # re-approve PRs after branch update | |
| contents: read # keep caller GITHUB_TOKEN minimal; write operations should use the GitHub App token | |
| pull-requests: read # keep caller GITHUB_TOKEN minimal; PR writes/approvals should use the GitHub App token |
don-petry
left a comment
There was a problem hiding this comment.
Automated review — APPROVED
Risk: MEDIUM
Reviewed commit: c5dca9f6575b6a1f754078eacd5350c63e7f1c24
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)
Summary
SHA ee22b427 is verified against the v1 tag in petry-projects/.github. The permission escalation (read→write) is mandated by the org standard template and required by the reusable workflow for update-branch and re-approval operations. Switching from secrets:inherit to explicit APP_ID/APP_PRIVATE_KEY is a net security improvement. All CI checks pass and the reusable workflow demonstrates sound security practices (token separation, auto-merge guards, idempotent fallbacks).
Findings
Info
.github/workflows/dependabot-rebase.yml:47— SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d verified: it matches the current v1 tag in petry-projects/.github (commit: feat(feature-ideation) by don-petry, 2026-04-17). This is a legitimate, org-owned commit..github/workflows/dependabot-rebase.yml:39— The contents:write and pull-requests:write permissions are mandated by the org standard template at petry-projects/.github/standards/workflows/dependabot-rebase.yml. The reusable workflow requires contents:write for the update-branch API and pull-requests:write for re-approving PRs after branch updates. The old read-only permissions were actually insufficient for the workflow to function..github/workflows/dependabot-rebase.yml:48— Moving from secrets:inherit (exposes all repository secrets to the reusable workflow) to explicit APP_ID/APP_PRIVATE_KEY is a positive security improvement that reduces the secret exposure surface.- (reusable-workflow-security) — The reusable workflow at the pinned SHA demonstrates sound security practices: GITHUB_TOKEN is used for update-branch, APP_TOKEN is reserved for approvals/merges, auto-merge guard prevents re-approving PRs that require human review, and the workflow serializes merges one at a time.
- (template-sha-drift) — Minor observation: the org template (standards/workflows/dependabot-rebase.yml) pins to SHA 3c6335c6 while the v1 tag now points to ee22b427. The PR correctly uses the current v1 tag SHA. The template may need updating in the central repo.
.github/workflows/dependabot-rebase.yml:31— workflow_dispatch trigger added per org template. Allows manual triggering to flush queued Dependabot PRs. Access is restricted by standard GitHub repo permissions.
CI status
All CI checks pass (reason_codes: ci-all-pass).
Note: Approval review could not be posted (GitHub does not allow self-approval). Auto-merge enabled below.
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
|
@claude Please address all open review comments on this PR from CodeRabbit and Copilot. |
|
Claude finished @don-petry's task in 1m 31s —— View job Addressing Open Review Comments
CodeRabbitNo actionable review comments — CodeRabbit hit its hourly rate limit before it could produce feedback. Nothing to address. Copilot Comment 1 —
|
c845dcb to
f1bf17d
Compare
|
|
Closing — after rebasing onto main, this branch has no remaining commits. The fix was already incorporated into main via a subsequent PR. |
Pull request was closed



Summary
dependabot-rebase-reusable.ymlfrom@v1to@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1(satisfies org action-pinning policy)petry-projects/.github/standards/workflows/dependabot-rebase.yml: addsworkflow_dispatchtrigger, upgrades permissions fromread→write, and switches fromsecrets: inheritto explicitAPP_ID/APP_PRIVATE_KEYsecretsCloses #86.
Generated with Claude Code