fix(dependabot): use correct ecosystem value github_actions (underscore)#138
fix(dependabot): use correct ecosystem value github_actions (underscore)#138
Conversation
fetch-metadata outputs package-ecosystem as "github_actions" with an underscore, not "github-actions" with a hyphen. The condition was never matching, so major GitHub Actions updates were still being skipped. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 56 minutes and 27 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughUpdated Dependabot auto-merge workflows to use the correct ecosystem identifier ( Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Fixes the Dependabot auto-merge eligibility check for GitHub Actions by matching the actual dependabot/fetch-metadata output value (github_actions with underscore), so major GitHub Actions updates are no longer incorrectly treated as ineligible.
Changes:
- Update the ecosystem string comparison from
github-actions→github_actionsin the repo workflow. - Apply the same fix in the reusable automerge workflow to keep logic consistent.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/dependabot-automerge.yml | Fixes the GitHub Actions ecosystem comparison so the eligibility gate correctly bypasses major-version blocking for Actions PRs. |
| .github/workflows/dependabot-automerge-reusable.yml | Mirrors the same corrected ecosystem comparison in the reusable workflow implementation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…DEOWNERS GitHub's auto-merge mechanism does not apply ruleset bypass actors at merge time, so gh pr merge --auto cannot bypass the CODEOWNERS review requirement even when the App has bypass_mode:always. The rebase workflow's direct gh api .../merge call uses the App token directly and does apply the bypass, allowing Dependabot PRs to merge without a human CODEOWNERS review. Also updates dependabot-policy.md to document this nuance — the rebase workflow is now required for repos with CODEOWNERS review requirements, not only for repos with strict required-status-checks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Address SonarCloud hotspots S7637 and S7635: - S7637: pin reusable workflow to full commit SHA instead of @v1 tag - S7635: pass APP_ID and APP_PRIVATE_KEY explicitly instead of secrets: inherit Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@standards/dependabot-policy.md`:
- Around line 207-217: The "Each repository must have" table still lists
dependabot-rebase.yml as universally required, which conflicts with the
conditional wording added for dependabot-rebase.yml; update the table's row
referencing dependabot-rebase.yml in the "Each repository must have" block so it
states the workflow is conditional (required only when
strict_required_status_checks_policy or require_code_owner_review apply) or
remove it from the universal list and add a note linking to the conditional
rules; ensure references to dependabot-rebase.yml and the table header "Each
repository must have" are changed accordingly to match the new conditional
policy and align with the workflows defined in standards/ci-standards.md.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: cec16f82-d00f-4d78-9e0b-b0fe81ba0c9f
📒 Files selected for processing (4)
.github/workflows/dependabot-automerge-reusable.yml.github/workflows/dependabot-automerge.yml.github/workflows/dependabot-rebase.ymlstandards/dependabot-policy.md
…orkflow The "Each repository must have" table listed dependabot-rebase.yml as universally required, contradicting the conditional wording added in the Applying to a Repository section. Split the table into baseline (always required) and conditional (when strict checks or CODEOWNERS review applies) to eliminate the inconsistency. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Summary
github-actions(hyphen) instead of the actual valuegithub_actions(underscore) output bydependabot/fetch-metadataRoot cause
The
fetch-metadataaction outputspackage-ecosystemasgithub_actions(underscore), matching thedependabot.ymlkey name. Our condition compared againstgithub-actions(hyphen, the YAML display name), so it never matched and major Action bumps fell through to theeligible=falsebranch.Confirmed from live run logs on PR #129 (download-artifact v4→v8):
Test plan
eligible=truein the automerge workflow🤖 Generated with Claude Code
Summary by CodeRabbit
Bug Fixes
New Features
Documentation