Conversation
…ranch blocked GitHub blocks the update-branch API when the merge would introduce .github/workflows/ changes, regardless of which token is used — the token must have the GitHub App 'workflows' permission, which neither GITHUB_TOKEN nor the dependabot-automerge-petry app has. Fallback: when update-branch fails with a 'workflows permission' error, post '@dependabot rebase' as a PR comment. Dependabot always has permission to push to its own branches including workflow files. After Dependabot rebases, the dependabot-automerge workflow (pull_request_target/synchronize) re-approves the PR and the serialization chain continues. Also fix dead-code else/fi left over from earlier refactor.
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 58 minutes and 56 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis change modifies the Dependabot rebase reusable workflow to capture GitHub API command output and exit status, detect permission-related failures, and implement a fallback mechanism that posts Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Updates the org’s reusable Dependabot rebase/merge workflow to avoid getting stuck when GitHub blocks the update-branch API due to .github/workflows/ changes requiring workflows permission.
Changes:
- Capture
update-branchoutput/exit status and branch-update failure details. - On a detected “workflows permission” failure, fall back to posting an
@dependabot rebasePR comment. - Remove a dead
else/fiblock that could emit an incorrect warning when PRs were not behind.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dependabot-rebase-reusable.yml:
- Around line 94-97: The current assignment captures UPDATE_OUTPUT with gh api
and only afterward reads UPDATE_EXIT, but under bash -e the failing gh api will
terminate the step before UPDATE_EXIT is set; change the pattern to run the
command inside an if to prevent immediate exit: invoke gh api
"repos/$REPO/pulls/$PR_NUMBER/update-branch" -X PUT -f update_method=merge
inside an if ! ...; then set UPDATE_OUTPUT and UPDATE_EXIT from that block
(referencing UPDATE_OUTPUT, UPDATE_EXIT, and the gh api call) so you can handle
the non-zero exit (403) path and run the fallback that posts "@dependabot
rebase".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 950473cc-826f-4316-93e3-c22eca311905
📒 Files selected for processing (1)
.github/workflows/dependabot-rebase-reusable.yml
Review — fix requested (cycle 1/3)The automated review identified the following issues. Please address each one: Findings to fix
Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
…back - Fix critical bash -e bug: use 'if UPDATE_OUTPUT=$(cmd)' pattern instead of capturing output then checking $?, which never runs under set -e - Narrow grep to exact string 'without `workflows` permission' to avoid false-positives from other permission errors - Add error handling for the @dependabot rebase comment posting - Make fallback idempotent: check for existing @dependabot rebase comment before posting to avoid spamming PRs on every push-to-main trigger
|
Problem
GitHub blocks the `update-branch` API when the merge would introduce `.github/workflows/` changes into the PR branch. This restriction applies to all tokens — both `GITHUB_TOKEN` and GitHub App tokens require the explicit GitHub App `workflows` permission for this operation. The `dependabot-automerge-petry` app does not have this permission.
Result: PRs #125 and #129 have been stuck BEHIND for days, because every push to `main` (our recent fixes) advances the workflow files, and `update-branch` always fails with:
```
gh: refusing to allow a GitHub App to create or update workflow
`.github/workflows/feature-ideation-reusable.yml`
without `workflows` permission (HTTP 403)
```
Fix
When `update-branch` fails with a `workflows` permission error, fall back to posting a `@dependabot rebase` comment on the PR. Dependabot always has permission to push to its own branches including workflow files. After Dependabot rebases:
Flow
Before (stuck):
```
PR behind → update-branch → HTTP 403 → warning → stuck forever
```
After (fallback chain):
```
PR behind → update-branch → 403 → @dependabot rebase comment
→ Dependabot rebases → automerge workflow approves
→ next push → rebase workflow merges → ✓
```
Why not add
workflowspermission to the app?That requires a GitHub UI change and all installation approvals. The fallback is equally effective and works without admin action.
Also fixed
Removed dead-code `else/fi` block left over from an earlier refactor that would have printed a wrong "Warning: failed to update" message when PRs were NOT behind.
🤖 Generated with Claude Code
Summary by CodeRabbit