Conversation
…n-strict Three updates to standards/dependabot-policy.md based on findings from the org-wide compliance work in #87..96 and petry-projects/ContentTwin#53: 1. APP_ID / APP_PRIVATE_KEY are documented as ORG-LEVEL secrets, not per-repo. The reusable callers use `secrets: inherit` so any repo with a centralized dependabot workflow picks them up automatically from org. Per-repo copies are deprecated drift; rotation should happen once at the org level. 2. dependabot-rebase.yml is now marked OPTIONAL — adopt only when the repo enforces strict required-status-checks. Non-strict repos (e.g. petry-projects/bmad-bgreat-suite) don't need it because PRs that fall behind can merge as-is. Adding the rebase workflow on non-strict repos just produces failure noise from missing app secrets and serves no purpose. 3. The required-status-check guidance now names the canonical reusable check (`dependency-audit / Detect ecosystems`) and warns against requiring per-ecosystem jobs, which report SKIPPED when their lockfile is absent and would fail the gate. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 7 minutes and 28 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughDocumentation update to the Dependabot policy clarifying conditional workflow inclusion based on branch protection settings, centralizing secrets to organization level with Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
don-petry
pushed a commit
to petry-projects/bmad-bgreat-suite
that referenced
this pull request
Apr 8, 2026
…trict repo Closes #79. The dependabot-rebase reusable exists to handle the case where branch protection requires "branches must be up to date" (strict required- status-checks). When a Dependabot PR falls behind main, the rebase workflow uses a GitHub App token to merge main into the PR branch and then merge the PR, forming a self-sustaining serialized chain. This repo does NOT enforce strict status checks: - ruleset 14805960 (code-quality): strict_required_status_checks_policy=false - ruleset 14759908 (protect-branches): strict_required_status_checks_policy=false - no classic branch protection on main Without strict checks, Dependabot PRs that fall behind can merge as-is, so the rebase workflow has nothing useful to do. It was being added on every CI run and failing immediately with: Secret APP_ID is required, but not provided while calling. Secret APP_PRIVATE_KEY is required, but not provided while calling. Removing the workflow eliminates the failure noise and removes the need for repo-level GitHub App secrets here entirely. Per the updated standards/dependabot-policy.md (petry-projects/.github#97), dependabot-rebase.yml is now documented as optional and only required when strict status checks are enforced. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2 tasks
Contributor
There was a problem hiding this comment.
Pull request overview
Updates Dependabot adoption guidance to reflect org-level GitHub App secrets, clarify when the rebase workflow is actually needed, and correct required-status-check configuration to match the canonical dependency-audit reusable workflow.
Changes:
- Document that
APP_ID/APP_PRIVATE_KEYshould be managed as org-level secrets and inherited by caller stubs. - Mark
dependabot-rebase.ymlas optional unless strict required-status-checks are enforced. - Update required-status-check guidance to the canonical
dependency-audit / Detect ecosystemsand warn against requiring conditional per-ecosystem jobs.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@standards/dependabot-policy.md`:
- Around line 211-217: Add a short verification step to the APP_ID /
APP_PRIVATE_KEY org-secrets paragraph: explain how to confirm org-level secrets
exist before deleting per-repo copies by running the GitHub CLI check (e.g., use
`gh secret list --org <org>` and filter for APP_ID and APP_PRIVATE_KEY) and
mention confirming `secrets: inherit` usage in dependabot workflows; reference
the APP_ID, APP_PRIVATE_KEY and secrets: inherit terms so maintainers know where
to verify and what command to run.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7985007f-0dba-4f4e-903f-637734bf03a8
📒 Files selected for processing (1)
standards/dependabot-policy.md
don-petry
added a commit
to petry-projects/bmad-bgreat-suite
that referenced
this pull request
Apr 8, 2026
…trict repo (#82) Closes #79. The dependabot-rebase reusable exists to handle the case where branch protection requires "branches must be up to date" (strict required- status-checks). When a Dependabot PR falls behind main, the rebase workflow uses a GitHub App token to merge main into the PR branch and then merge the PR, forming a self-sustaining serialized chain. This repo does NOT enforce strict status checks: - ruleset 14805960 (code-quality): strict_required_status_checks_policy=false - ruleset 14759908 (protect-branches): strict_required_status_checks_policy=false - no classic branch protection on main Without strict checks, Dependabot PRs that fall behind can merge as-is, so the rebase workflow has nothing useful to do. It was being added on every CI run and failing immediately with: Secret APP_ID is required, but not provided while calling. Secret APP_PRIVATE_KEY is required, but not provided while calling. Removing the workflow eliminates the failure noise and removes the need for repo-level GitHub App secrets here entirely. Per the updated standards/dependabot-policy.md (petry-projects/.github#97), dependabot-rebase.yml is now documented as optional and only required when strict status checks are enforced. Co-authored-by: DJ <dj@Rachels-MacBook-Air.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…epo App secrets CodeRabbit on #97: explain how to confirm org-level secrets exist before deleting per-repo copies. Adds the exact gh CLI command and notes that the dependabot caller stubs must also be confirmed to include 'secrets: inherit' before cleanup, otherwise the workflow falls back to nothing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates
standards/dependabot-policy.mdbased on findings from petry-projects/ContentTwin#53 and petry-projects/bmad-bgreat-suite#79.Changes
APP_ID / APP_PRIVATE_KEY are org-level, not per-repo. The reusable callers already use
secrets: inherit, so any repo with a centralized dependabot workflow picks them up from org automatically. Per-repo copies (currently in broodly, google-app-scripts, markets, TalkTerm) are deprecated drift; rotation should happen once at the org level.dependabot-rebase.yml is now marked optional — adopt only when the repo enforces strict required-status-checks. Non-strict repos (bmad-bgreat-suite is one) don't need it. Adding it without strict checks just produces failure noise from missing app secrets and serves no purpose.
Required-status-check guidance now names the canonical reusable check (
dependency-audit / Detect ecosystems) and warns against requiring per-ecosystem jobs which would fail the gate when reporting SKIPPED.Follow-ups (separate work, not in this PR)
gh secret set APP_ID --org petry-projects --visibility alland same forAPP_PRIVATE_KEYto provision the org-level secrets (resolves ContentTwin#53)dependabot-rebase.ymlfrom bmad-bgreat-suite (separate PR to that repo, resolves bmad#79)APP_ID/APP_PRIVATE_KEYfrom the 4 existing repos once org-level secrets are confirmed in placeTest plan
🤖 Generated with Claude Code
Summary by CodeRabbit