Conversation
… for approvals The GitHub App lacks 'workflows' permission, causing update-branch to fail with HTTP 403 when the merge would include .github/workflows/ changes from main. Fix: use GITHUB_TOKEN (which has implicit workflows write permission in push-triggered workflows) for the update-branch call. Reserve the app token for approvals and merges, where the app bot identity matters: - Approvals: attributed to the trusted app bot (satisfies require_last_push_approval since GITHUB_TOKEN was the pusher, not the app) - Merges: attributed to the app bot so the resulting push to main re-triggers this workflow, enabling the self-sustaining serialization chain Also adds contents:write, pull-requests:write, workflows:write permissions to the job so GITHUB_TOKEN can perform these operations.
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 9 minutes and 21 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
… scope) 'workflows' is a GitHub App permission, not a GitHub Actions job permission scope. actionlint correctly rejects it. GITHUB_TOKEN with contents:write in a push-triggered workflow already handles .github/workflows/ file updates.
There was a problem hiding this comment.
Pull request overview
Updates the org’s reusable Dependabot rebase/merge workflow to avoid HTTP 403s when update-branch needs to merge workflow-file changes (by switching that API call to use GITHUB_TOKEN), while keeping approvals and merges attributed to the GitHub App identity.
Changes:
- Elevates job permissions in the reusable workflow to enable
update-branchwhen.github/workflows/*changes are involved. - Uses
GITHUB_TOKENforupdate-branch, and uses the app token only for re-approvals and merges (viaGH_TOKEN="$APP_TOKEN").
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
… caller stubs Reusable workflow permissions are capped by the calling job. Update both the live caller (.github/workflows/dependabot-rebase.yml) and the standards template (standards/workflows/dependabot-rebase.yml) to grant write permissions so the reusable's GITHUB_TOKEN can call update-branch and approve PRs. Also update the pinned SHA to origin/main (35e0e20) which includes the re-approval fix from PR #140.
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
* fix(dependabot-rebase): update pinned SHA to include GITHUB_TOKEN fix The caller stubs referenced SHA 35e0e20 (PR #140), which predates the GITHUB_TOKEN change from PR #141. Update to f5c167c (HEAD of main after PR #141 merged) so the reusable workflow used has contents:write/ pull-requests:write job permissions and uses GITHUB_TOKEN for update-branch. * docs: clarify SHA bump is allowed in caller stub header comment The previous header said 'MUST NOT change the uses: line', but bumping the pinned SHA when upgrading the reusable workflow version is intentional and necessary. Clarify what is forbidden vs what is allowed. --------- Co-authored-by: DJ <dj@Rachels-Air.localdomain>
Problem
The `dependabot-automerge-petry` GitHub App lacks the `workflows` permission. When `update-branch` merges main into a Dependabot PR branch and main contains new/updated `.github/workflows/` files, the API returns HTTP 403:
```
gh: refusing to allow a GitHub App to create or update workflow
`.github/workflows/feature-ideation-reusable.yml`
without `workflows` permission (HTTP 403)
```
This was silently preventing all Dependabot branch updates since new workflow files were added to main (via PRs #139, #140).
Fix
Use `GITHUB_TOKEN` for the `update-branch` API call. In a `push`-triggered workflow, `GITHUB_TOKEN` has implicit `workflows: write` permission. Reserve the app bot token for approvals and merges, where its identity matters:
Security benefit
Using `GITHUB_TOKEN` (github-actions bot) as the pusher and the app as the approver cleanly satisfies `require_last_push_approval` — the pusher and approver are now definitively different identities, removing any ambiguity raised in PR #140's review.
Changes
🤖 Generated with Claude Code