fix: pin dependabot-rebase reusable workflow to SHA (issue #157)#204
fix: pin dependabot-rebase reusable workflow to SHA (issue #157)#204
Conversation
Copy template verbatim from petry-projects/.github/standards/workflows/dependabot-rebase.yml. Key changes: - Pin `uses:` to SHA 3c6335c6ee3e2f1a37f3e27e065e28d36d9c0dde (v1) instead of @v1 tag - Add workflow_dispatch trigger to allow manual queue flush - Elevate permissions to contents:write and pull-requests:write (required by reusable) - Replace `secrets: inherit` with explicit APP_ID and APP_PRIVATE_KEY secrets block Closes #157 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 46 minutes and 5 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@don-petry — this PR pins the dependabot-rebase reusable workflow to its SHA as required by the action-pinning compliance policy (issue #157). The template from |
|
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Pins the Dependabot rebase reusable workflow to an immutable commit SHA to satisfy action-pinning compliance, and syncs the caller stub with the latest template behavior.
Changes:
- Pin reusable workflow reference from
@v1to a specific SHA. - Add
workflow_dispatchto allow manual runs. - Replace
secrets: inheritwith explicit secret mappings and elevate job permissions tocontents:write/pull-requests:write.
| # lives in the reusable workflow above. | ||
| # • You MAY change: nothing in this file in normal use. Adopt verbatim. | ||
| # • You MAY change: the SHA in the `uses:` line when upgrading the reusable | ||
| # workflow version (bump SHA to latest main of petry-projects/.github). |
There was a problem hiding this comment.
The instruction to ‘bump SHA to latest main’ is easy to misread as endorsing tracking main (or an arbitrary commit) rather than a vetted release commit. To keep upgrades auditable/compliance-friendly, consider rewording this to explicitly say to bump to the SHA that corresponds to the intended released version (e.g., the commit for the v1 tag/release), and optionally include a link to the upstream release/changelog for verification.
| # workflow version (bump SHA to latest main of petry-projects/.github). | |
| # workflow version (bump to the SHA for the intended released version of | |
| # petry-projects/.github, such as the commit for the `v1` tag/release). |
Summary
dependabot-rebase-reusable.ymlreference from@v1tag to SHA3c6335c6ee3e2f1a37f3e27e065e28d36d9c0dde(v1) to satisfy the action-pinning compliance policypetry-projects/.github/standards/workflows/dependabot-rebase.yml— the template itself is already SHA-pinnedworkflow_dispatchtrigger, elevates permissions tocontents:write/pull-requests:write, and replacessecrets: inheritwith explicit secrets blockChange
Closes #157
Generated with Claude Code