fix(ci): align dependabot-rebase with org standard + confirm allow_auto_merge#119
fix(ci): align dependabot-rebase with org standard + confirm allow_auto_merge#119
Conversation
- Add workflow_dispatch trigger to allow manual flush of Dependabot PR queue - Upgrade job permissions from read to write (contents + pull-requests) so the reusable can actually update branches and re-approve PRs - Switch from secrets: inherit to explicit APP_ID / APP_PRIVATE_KEY per standard - Update AGENTS comment block to match current template guidance Repository setting allow_auto_merge confirmed true (re-applied via API). Closes #91 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 52 minutes and 6 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
|
@don-petry — this PR is ready for your review and merge. The changes align |
There was a problem hiding this comment.
Pull request overview
This PR aims to bring the repo back into compliance for Dependabot automation by reconfirming allow_auto_merge: true and updating the local Dependabot rebase workflow stub to match the org-standard template.
Changes:
- Updated
.github/workflows/dependabot-rebase.ymlto addworkflow_dispatchfor manual runs. - Adjusted the caller job permissions to
contents: write/pull-requests: write. - Switched from
secrets: inheritto explicitly passingAPP_ID/APP_PRIVATE_KEYinto the reusable workflow.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # • You MAY change: the SHA in the `uses:` line when upgrading the reusable | ||
| # workflow version (bump SHA to latest main of petry-projects/.github). |
There was a problem hiding this comment.
The AGENTS guidance says you may change the "SHA" in the uses: line, but the workflow currently references the reusable via @v1 (tag), not a SHA. This is misleading for maintainers—either update the wording to refer to the ref/tag used here, or switch uses: to an actual SHA if that’s the intended convention.
| # • You MAY change: the SHA in the `uses:` line when upgrading the reusable | |
| # workflow version (bump SHA to latest main of petry-projects/.github). | |
| # • You MAY change: the ref/tag in the `uses:` line when upgrading the reusable | |
| # workflow version (for example, bump the tag used from petry-projects/.github). |
| # • You MUST NOT change: trigger event, the concurrency group name, | ||
| # the `uses:` line, `secrets: inherit`, or the job-level `permissions:` | ||
| # block — reusable workflows can be granted no more permissions than the | ||
| # calling job has, so removing the stanza breaks the reusable's gh API | ||
| # calls. | ||
| # the explicit secrets block, or the job-level `permissions:` block — | ||
| # reusable workflows can be granted no more permissions than the calling |
There was a problem hiding this comment.
The AGENTS comment says "You MUST NOT change: trigger event", but this PR changes the triggers by adding workflow_dispatch. Please update the guidance to match the now-standard trigger set (or remove workflow_dispatch if triggers truly must remain unchanged).
Summary
allow_auto_merge: truerepository setting via GitHub API (was alreadytruebut re-confirmed)dependabot-rebase.ymlwith the org standard template (standards/workflows/dependabot-rebase.yml)Changes
.github/workflows/dependabot-rebase.ymlworkflow_dispatchtrigger — allows manual flush of the Dependabot PR queuecontents: read / pull-requests: readtocontents: write / pull-requests: write— the reusable workflow needs write access to update branches and re-approve PRs after rebasingAPP_ID/APP_PRIVATE_KEY) per the org standard, instead ofsecrets: inheritRepository setting
allow_auto_mergeconfirmed and re-patched totrueviaPATCH /repos/petry-projects/TalkTermRoot Cause Analysis
The compliance audit uses
ORG_SCORECARD_TOKENwhich may have limited API permissions. All repository settings (allow_auto_merge,delete_branch_on_merge,has_discussions, etc.) are confirmed correct via the REST API. The finding should auto-resolve on the next weekly audit (Friday).The
dependabot-rebase.ymlhad insufficient permissions (readinstead ofwrite), meaning the reusable workflow could not actually update Dependabot branches — the Dependabot auto-merge pipeline was effectively broken even withallow_auto_merge: true.Closes #91
Generated with Claude Code