fix(ci): adopt dependabot-rebase standard (correct SHA + dispatch trigger)

[don-petry]

Adopts standards/workflows/dependabot-rebase.yml verbatim. Pins reusable to correct SHA 3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1, adds workflow_dispatch trigger, fixes permissions/secrets block. Supersedes prior SHA-pinning and dispatch PRs.

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 48 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 51 minutes and 48 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5ead3b2a-6194-4d44-8449-2db197c841d0

📥 Commits

Reviewing files that changed from the base of the PR and between 051f051 and d7a51d0.

📒 Files selected for processing (1)

• .github/workflows/dependabot-rebase.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependabot-rebase-adopt-standard

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Updates the Dependabot rebase workflow to align with the org standard caller stub, including correct pinning of the reusable workflow and enabling manual runs.

Changes:

• Add workflow_dispatch so the workflow can be manually triggered.
• Pin the reusable workflow to the specified SHA and update job permissions to the required write scopes.
• Replace secrets: inherit with an explicit secrets mapping for the reusable workflow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Automated review — APPROVED

Risk: MEDIUM
Reviewed commit: 792ed3681d05e9b903066b6e0020ac6906e6e034
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This PR adopts the org standard for the dependabot-rebase caller stub: it upgrades permissions from read to write (required for update-branch), pins the reusable workflow to a verified SHA (security improvement over a mutable @v1 tag), replaces secrets: inherit with explicit APP_ID/APP_PRIVATE_KEY mapping (improved least-privilege), and adds workflow_dispatch. All security scanners (CodeQL, SonarCloud, AgentShield) pass with zero findings. The SHA 3c6335c0 is confirmed to exist in petry-projects/.github with a relevant commit message. Risk is MEDIUM due to permission escalation, but all gates pass and the changes improve the overall security posture.

Findings

Info

• [info] .github/workflows/dependabot-rebase.yml:45 — SHA pinned to 3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1 (verified in petry-projects/.github, dated 2026-04-17) — this is an improvement over a mutable @v1 tag and prevents supply-chain tag-redirect attacks.
• [info] .github/workflows/dependabot-rebase.yml:47 — Switched from secrets: inherit (all secrets) to explicit APP_ID + APP_PRIVATE_KEY mapping — least-privilege improvement. The GitHub App credentials are standard for org-level automation.
• [info] CI — All CI checks passed: CodeQL (actions+python), SonarCloud (0 new issues, 0 security hotspots), AgentShield (SUCCESS), Dependency audit (SUCCESS). No scanner warnings.

Minor

• [minor] .github/workflows/dependabot-rebase.yml:41 — Permissions upgraded from contents: read / pull-requests: read to contents: write / pull-requests: write. The write access is necessary for the reusable workflow's update-branch call. The inline comment correctly explains the scope and why it may touch .github/workflows/ (triggers a known fallback to @dependabot rebase when GitHub blocks update-branch for workflow files).

CI status

All CI gates green: CodeQL (actions+python), SonarCloud (0 new issues, 0 security hotspots), AgentShield (SUCCESS), Dependency audit (SUCCESS).

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.