fix(standards): correct SHA in dependabot-rebase template

[don-petry]

Summary

• The SHA 3c6335c6ee3e2f1a37f3e27e065e28d36d9c0dde in standards/workflows/dependabot-rebase.yml is a typo — it does not exist in this repo (returns 404 from the GitHub API)
• The correct full SHA for the fix(dependabot-rebase): fall back to @dependabot rebase commit is 3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1
• This was introduced in commit af3c1df when the SHA was bumped

Impact

All downstream repos that adopted the standard template (broodly, TalkTerm, google-app-scripts, markets, ContentTwin) currently reference @v1 tag or older SHAs. Open PRs in those repos that attempt to pin to 3c6335c6... will reference a non-existent commit and will fail when the workflow runs.

Test plan

• Verify 3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1 resolves correctly: gh api repos/petry-projects/.github/git/commits/3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1 --jq .message
• After merge, open PRs in downstream repos to adopt the corrected SHA

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated automated dependency management workflow configurations to use updated workflow references, improving the efficiency of dependency update processes.

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 47 minutes and 55 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 47 minutes and 55 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ce531a77-0866-4cc5-874c-6ce9266b2dfd

📥 Commits

Reviewing files that changed from the base of the PR and between 46a97fc and 5a086da.

📒 Files selected for processing (1)

• standards/workflows/dependabot-rebase.yml

📝 Walkthrough

Walkthrough

Updates the reusable workflow references in two dependabot-rebase workflow files: one transitions from an external pinned commit SHA to a local relative path reference, while the other updates to a different pinned commit SHA version.

Changes

Cohort / File(s)	Summary
Dependabot-rebase workflow reference (main repo) .github/workflows/dependabot-rebase.yml	Changed reusable workflow reference from external pinned commit (petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@f5c167c903...) to local relative path (./.github/workflows/dependabot-rebase-reusable.yml).
Dependabot-rebase workflow reference (standards) standards/workflows/dependabot-rebase.yml	Updated pinned commit SHA to 3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1 for the reusable workflow invocation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• feat(workflows): centralize standards via reusable workflows #87: Introduces and standardizes the dependabot-rebase reusable workflow and caller stubs that these changes reference.
• fix(dependabot): use correct ecosystem value github_actions (underscore) #138: Directly modifies the same .github/workflows/dependabot-rebase.yml caller configuration file.
• fix(dependabot-rebase): fall back to @dependabot rebase when update-branch is blocked by workflows permission #143: Updates the reusable workflow implementation that the caller changes invoke, affecting which fixes/behavior are used.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(standards): correct SHA in dependabot-rebase template' directly describes the main change: correcting a typoed SHA in the standards/workflows/dependabot-rebase.yml file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/standards-dependabot-rebase-sha

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the Dependabot rebase Tier-1 workflow references so downstream repos can pin a valid reusable-workflow commit, and adjusts this repo’s internal caller stub to use the local reusable workflow.

Changes:

• Update standards/workflows/dependabot-rebase.yml to point at commit 3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1.
• Change .github/workflows/dependabot-rebase.yml to call the local reusable workflow via ./.github/workflows/dependabot-rebase-reusable.yml.
• Revise the internal stub’s header comments to explain the local-ref behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
standards/workflows/dependabot-rebase.yml	Updates the pinned reusable-workflow ref used by downstream template adopters.
.github/workflows/dependabot-rebase.yml	Switches this repo’s caller stub to a local reusable reference and updates its guidance comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

• [major] PR is not mergeable (mergeStateStatus: DIRTY, mergeable: CONFLICTING). The branch must be rebased or the conflict resolved before merging.
• [minor] .github/workflows/dependabot-rebase.yml:46 — Switching from a pinned SHA to a local relative path (./) means future changes to the reusable workflow take effect immediately with no pinning safety net for this repo's own instance. This is intentional and well-commented, but worth noting as ongoing operational context.

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on main if the branch is behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[don-petry]

Automated review — APPROVED

Risk: MEDIUM
Reviewed commit: 5a086dac2e408296a7fa1342bee053511ebbf989
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Two-file workflow fix: corrects a non-existent SHA in the standards template (now points to valid main HEAD 9a694e5, confirmed present in repo), and switches this repo's own caller stub to a local relative ref (appropriate for the source-of-truth repo). All CI checks pass, the reusable workflow file exists at the new pinned SHA, and no security anti-patterns are present.

Findings

Info

• info · .github/workflows/dependabot-rebase.yml:46 — .github/workflows/dependabot-rebase.yml now uses a local relative ref (./) instead of a pinned SHA. This is intentional and well-documented — this repo is the source of truth for the reusable workflow. The permissions block (contents: write, pull-requests: write) is unchanged.
• info · standards/workflows/dependabot-rebase.yml:47 — standards/workflows/dependabot-rebase.yml SHA bumped to 9a694e5 (labeled # main). Verified: commit exists and dependabot-rebase-reusable.yml is present at that ref. Note that 9a694e5 is a dependency-bump commit, not a workflow-logic commit — the label # main accurately describes intent (pin to current HEAD).
• info · merge-state — Prior review flagged CONFLICTING merge state. Current mergeStateStatus is UNKNOWN (GitHub reports UNKNOWN for recently pushed commits while it recalculates). Branch HEAD is 5a086da — the latest commit explicitly addresses the conflict from the prior review cycle.

CI status

All CI checks pass (ci-green · sha-verified · conflicts-resolved · no-security-antipatterns).

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push