fix: add workflow_dispatch trigger to dependabot-rebase workflow

[don-petry]

Adds workflow_dispatch to allow manual triggering of the Dependabot rebase workflow to flush the PR queue after batch updates. See petry-projects/.github#139

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 59 minutes and 57 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 59 minutes and 57 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 28353752-c3e1-4397-9164-98b545803a6d

📥 Commits

Reviewing files that changed from the base of the PR and between 4235652 and 552e591.

📒 Files selected for processing (1)

• .github/workflows/dependabot-rebase.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/dependabot-rebase-dispatch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Adds a manual trigger to the repository’s Dependabot rebase workflow so it can be run on-demand (e.g., to flush/serialize queued Dependabot PR updates) in addition to running on pushes to main.

Changes:

• Add workflow_dispatch trigger to .github/workflows/dependabot-rebase.yml.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Automated review — APPROVED

Risk: MEDIUM
Reviewed commit: 552e591a68d329960b8465ed158e640697a6036c
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

PR adds workflow_dispatch to a thin-caller GitHub Actions workflow that delegates to an org-level reusable workflow via secrets: inherit. The trigger addition is the downstream sync of org standard petry-projects/.github#139; the permissions model is unchanged (calling job has only read perms; elevated access comes from the pre-existing GitHub App token in the reusable). All security scanners (CodeQL, SonarCloud, AgentShield, CodeRabbit) passed. Incremental attack surface from workflow_dispatch is negligible — write-access users could already trigger the same code path via push to main.

Findings

Info

• .github/workflows/dependabot-rebase.yml:30 — workflow_dispatch added to a workflow using secrets: inherit. Any repo contributor with write access can now manually trigger this workflow, causing it to consume APP_PRIVATE_KEY. Risk is low because (a) write-access users could already trigger via push to main, (b) the reusable workflow is purpose-built for this operation, and (c) the calling job holds only read permissions.
• .github/workflows/dependabot-rebase.yml — File header states 'You MUST NOT change: trigger event', but this PR modifies the trigger. PR description references feat(dependabot-rebase): add workflow_dispatch trigger .github#139 which appears to be the upstream org-standard change being synced here. Verify that docs(workflows): clarify intentional double .github/ in reusable-workflow paths #139 was merged before or alongside this PR to ensure consistency with the policy document.
• CI status: All required checks pass: CodeQL SUCCESS, SonarCloud SUCCESS, AgentShield SUCCESS, CodeRabbit SUCCESS. dependabot-automerge was SKIPPED (expected — no active Dependabot PRs at time of CI run).

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[don-petry]

Superseded by # which adopts the full standard verbatim including workflow_dispatch and the corrected SHA.