Skip to content

fix(ci): adopt dependabot-rebase standard (correct SHA + dispatch trigger)#194

Open
don-petry wants to merge 2 commits intomainfrom
fix/dependabot-rebase-adopt-standard
Open

fix(ci): adopt dependabot-rebase standard (correct SHA + dispatch trigger)#194
don-petry wants to merge 2 commits intomainfrom
fix/dependabot-rebase-adopt-standard

Conversation

@don-petry
Copy link
Copy Markdown
Collaborator

@don-petry don-petry commented Apr 17, 2026

Adopts standards/workflows/dependabot-rebase.yml verbatim. Pins reusable to correct SHA 3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1, adds workflow_dispatch trigger, fixes permissions/secrets block. Supersedes prior SHA-pinning and dispatch PRs.

Copilot AI review requested due to automatic review settings April 17, 2026 06:55
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 17, 2026
edited
Loading

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 45 minutes and 47 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 45 minutes and 47 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7c841a0c-36fa-4c51-bba8-c0955b9c7cc1

📥 Commits

Reviewing files that changed from the base of the PR and between 32e618b and d6d3d2f.

📒 Files selected for processing (1)
  • .github/workflows/dependabot-rebase.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/dependabot-rebase-adopt-standard

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 17, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Copilot AI reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s Dependabot rebase workflow stub to align with the org-standard caller, ensuring the reusable workflow is pinned correctly and can be manually invoked when needed.

Changes:

  • Adds a workflow_dispatch trigger for manually running the Dependabot rebase workflow.
  • Updates the reusable workflow reference to a pinned SHA and adjusts the secrets/permissions blocks to match the standard stub.

Comment thread .github/workflows/dependabot-rebase.yml
Comment on lines +45 to +47
secrets:
APP_ID: ${{ secrets.APP_ID }}
APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
Copy link

Copilot AI Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The header comment still says "Required org/repo secrets (inherited)", but this workflow now passes APP_ID/APP_PRIVATE_KEY via an explicit secrets: mapping (not secrets: inherit). Please update the comment to avoid misleading future maintainers about how secrets are provided to the reusable workflow.

Copilot uses AI. Check for mistakes.
@don-petry don-petry mentioned this pull request Apr 17, 2026
Closed
@don-petry
Copy link
Copy Markdown
Collaborator Author

don-petry commented Apr 17, 2026

Automated review — APPROVED

Risk: LOW
Reviewed commit: c3eff6bdcf6bbc5aa0354b4c02ea3e553329c3b8
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This PR is a net security improvement: it pins the reusable workflow to an immutable SHA (replacing mutable @v1 tag), replaces secrets: inherit with explicit secret forwarding (least privilege), and adopts the org standard caller stub. The permission escalation to contents:write + pull-requests:write is required by the reusable workflow's design and matches the org standard template exactly. No injection vectors, no untrusted code execution paths, no pull_request_target triggers.

Findings

Minor

  • [minor] .github/workflows/dependabot-rebase.yml:41 — Job permissions escalated from read to write for both contents and pull-requests. Verified this is required: the reusable workflow's update-branch API and PR approval/merge operations need write access. The reusable workflow (audited at pinned SHA) only calls gh CLI API endpoints — no code checkout, no script execution, no workflow file writes. Matches org standard template exactly.

Info

  • [info] .github/workflows/dependabot-rebase.yml:44 — Reusable workflow reference changed from @v1 (mutable tag, susceptible to tag-hijack) to pinned SHA 3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1. This is a significant supply-chain hardening improvement. The SHA was verified to exist and correspond to a legitimate commit in petry-projects/.github.
  • [info] .github/workflows/dependabot-rebase.yml:45secrets: inherit replaced with explicit forwarding of only APP_ID and APP_PRIVATE_KEY. This prevents the reusable workflow from accessing any other org/repo secrets — a clear least-privilege improvement.
  • [info] .github/workflows/dependabot-rebase.yml:47APP_PRIVATE_KEY is forwarded to the reusable workflow which uses it solely via actions/create-github-app-token@1b10c78c (pinned SHA) to generate a short-lived GitHub App token. The private key is never logged, interpolated in shell commands, or otherwise exposed. Standard operational pattern for GitHub App authentication.
  • [info] .github/workflows/dependabot-rebase.yml:44 — The PR pins to SHA 3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1 but the org standard template (standards/workflows/dependabot-rebase.yml) references 3c6335c6ee3e2f1a37f3e27e065e28d36d9c0dde, which does NOT exist as a commit. The PR's SHA is the valid one. The org standard template may need correction — this is an upstream issue, not a problem with this PR.
  • [info] CI — The autofix check failed (FAILURE), causing merge to be BLOCKED. All security-relevant checks passed: CodeQL (SUCCESS), SonarCloud (SUCCESS), dependency-audit (SUCCESS), AgentShield (SUCCESS). The blocking failure is a formatting/style check only.

CI status

mergeStateStatus: BLOCKED — The autofix CI check is failing. All security gates (CodeQL, SonarCloud, dependency-audit, AgentShield) have passed; the block is non-security.

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@don-petry don-petry enabled auto-merge (squash) April 17, 2026 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@don-petry