fix: pin dependabot-rebase reusable workflow to SHA (issue #157)

[don-petry]

Summary

• Pins dependabot-rebase-reusable.yml reference from @v1 tag to SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d (the commit the v1 tag currently resolves to), resolving the action-pinning compliance finding
• Syncs remaining template improvements: workflow_dispatch trigger, elevated contents:write/pull-requests:write permissions, and explicit APP_ID/APP_PRIVATE_KEY secrets instead of secrets: inherit

Change

-    uses: petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@v1
-    secrets: inherit
+    uses: petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1
+    secrets:
+      APP_ID: ${{ secrets.APP_ID }}
+      APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}

SHA verification

The SHA was resolved via:

gh api repos/petry-projects/.github/git/refs/tags/v1 --jq '.object.sha'
# → ee22b427cbce9ecadcf2b436acb57c3adf0cb63d

Note: The upstream template at petry-projects/.github/standards/workflows/dependabot-rebase.yml contains a SHA that doesn't exist in the repository (3c6335c6ee3e2f1a37f3e27e065e28d36d9c0dde). The correct SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) was obtained by resolving the v1 tag directly. The template should be updated in a separate PR against the central repo.

Closes #157

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 46 minutes and 10 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 46 minutes and 10 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 859ffefd-4b9e-46a0-857a-fe3df77eea76

📥 Commits

Reviewing files that changed from the base of the PR and between 32e618b and 7235667.

📒 Files selected for processing (1)

• .github/workflows/dependabot-rebase.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-157-20260419-2333

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

Self-review

The change looks correct:

• SHA verified: ee22b427cbce9ecadcf2b436acb57c3adf0cb63d was obtained by resolving the v1 tag via gh api repos/petry-projects/.github/git/refs/tags/v1, not guessed
• Permissions: upgraded from contents: read / pull-requests: read to write (required for the reusable workflow to update branches and re-approve PRs)
• Secrets: changed from secrets: inherit to explicit APP_ID / APP_PRIVATE_KEY (template best practice)
• Trigger: workflow_dispatch added to allow manual queue flush
• No functional regressions: this is a thin caller stub — all logic is in the reusable

Note on previous PRs: PR #181 and PR #204 made similar fixes but were either closed or not merged. This PR resolves the same compliance finding. PR #204 (still open on a different branch) can be closed once this one merges.

Note on template SHA: The upstream template at petry-projects/.github/standards/workflows/dependabot-rebase.yml uses SHA 3c6335c6ee3e2f1a37f3e27e065e28d36d9c0dde which doesn't exist in the repo. The actual valid SHA (ee22b427cbce9ecadcf2b436acb57c3adf0cb63d) was resolved from the tag. A follow-up PR against the central repo should correct the template.

@don-petry — ready for your review and merge.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Pins the Dependabot rebase reusable workflow reference to a commit SHA to satisfy action-pinning compliance, and updates the caller workflow configuration to match a newer template variant.

Changes:

• Pinned petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml from @v1 to a specific SHA.
• Added workflow_dispatch to allow manually triggering the workflow.
• Changed job permissions to contents: write / pull-requests: write and replaced secrets: inherit with explicit APP_ID / APP_PRIVATE_KEY mapping.

[Copilot]

The header comment says this workflow is a thin caller stub where only the uses: SHA should change, and that the trigger/secrets/permissions blocks must not be changed. This PR also changes the trigger (workflow_dispatch), permissions, and secrets handling, which creates drift from the stated “SOURCE OF TRUTH”/stub contract (similar stubs in this repo are adopted verbatim; e.g. .github/workflows/dependabot-automerge.yml:6-14 and .github/workflows/claude.yml:6-12). Consider limiting this PR to just the SHA pin, and making template behavior changes in the central repo (then re-sync verbatim), or update the stub contract text if these changes are now intended locally.

[Copilot]

Switching from secrets: inherit to explicit secret mapping means the earlier “Required org/repo secrets (inherited)” note is now misleading. Please update the documentation in this file to reflect the new secret-passing behavior (or revert back to secrets: inherit if that’s what the reusable expects).