ci: update dependabot-rebase.yml to canonical stub#260
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@petry-projects/org-leads — this PR brings |
There was a problem hiding this comment.
Pull request overview
Updates the repository’s Dependabot rebase workflow stub to align with org standards and ensure the rebase/merge chain continues even during periods of low activity.
Changes:
- Updates the header guidance to reflect that
scheduleis also a required trigger (in addition topushandworkflow_dispatch). - Adds a
scheduletrigger (0 */4 * * *) as a safety net whenmaindoesn’t receive pushes. - Clarifies the
APP_IDsecret comment to note required GitHub App permissions includecontents:write.
| # (`push` keeps the self-sustaining chain; `workflow_dispatch` allows | ||
| # stanza breaks the reusable's gh API calls. Do not remove any trigger | ||
| # (`push` keeps the self-sustaining chain; `schedule` is the safety net | ||
| # when no PR merges have occurred recently; `workflow_dispatch` allows |
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 1272435b13fdb4acb2de927d76806ee7e2280ff9
Review mode: triage-approved (single reviewer)
Summary
Prompt-only changes to the org status report template that reduce output size by ~29K bytes. Three changes: (1) Open Issues grouped by repo subsection instead of flat table, dropping the repeated Repo column; (2) duplicate [#N](url) | [title](url) cells merged into single [#N — title](url) cells across Needs Human Review, Open Issues, and Open Discussions tables; (3) MAX_BYTES bumped from 60000 to 64000 (still 1536 bytes below GitHub's 65536 char limit). No data-shape changes.
Linked issue analysis
No closing issue linked, but the PR body clearly describes the problem: daily report #233 exceeded the 60000-byte truncation threshold, causing head -c to drop the start of the report (the @org-leads opener and first three sections). The changes directly address this by shrinking the rendered output.
Findings
No issues found.
- MAX_BYTES 64000: Safe — leaves 1536 bytes of headroom below GitHub's 65536-char issue body limit. Combined with the ~29K reduction in report size, truncation should rarely trigger.
- Prompt template changes: Clean restructuring. The per-repo subsection format for Open Issues and the single-link cell pattern are consistent across all three tables.
- No security concerns: No secrets, auth, eval, injection vectors, or CI security changes.
- Copilot's suppressed comment about UTF-8 truncation in
head -cis a pre-existing concern in the truncation step, not introduced by this PR.
CI status
All checks passed:
- Lint: ✓
- ShellCheck: ✓
- Agent Security Scan: ✓
- AgentShield: ✓
- CodeQL (actions): ✓
- SonarCloud: ✓ (0 new issues, 0 security hotspots)
- Dependency audit: ✓
Reviewed automatically by the PR-review agent (single-reviewer). Reply if you need a human review.
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: da50ea5ec4fb0491b665f65a70d7685e7f32bbc6
Review mode: triage-approved (single reviewer)
Summary
This PR brings .github/workflows/dependabot-rebase.yml into compliance with the org canonical stub from petry-projects/.github/standards/workflows/. The changes are minimal (+6/−3 in a single file): adds a missing schedule trigger (0 */4 * * *) as a safety net when no pushes to main occur, updates the header comment to document all three triggers, and corrects the APP_ID permission description to include contents:write.
Linked issue analysis
Closes #256 — a compliance finding (non-stub-dependabot-rebase.yml) from the weekly compliance audit requesting the workflow be replaced with the canonical stub. This PR directly addresses the finding by adopting the standard stub verbatim, including the previously missing schedule trigger.
Findings
No issues found.
- Schedule trigger
0 */4 * * *: Runs every 4 hours. This is the org-standard safety-net cadence — reasonable and not excessive. - Comment changes only otherwise: The header guidance and
APP_IDdescription updates are documentation-only with no functional impact. - No permission or secrets changes: The workflow's
permissions:block,concurrency:group, and explicitsecrets:pass-through are unchanged. - No security concerns: No new dependencies, no eval/injection vectors, no credential handling changes.
CI status
All checks passed:
- Build and test: ✓
- CodeQL (actions, JS/TS, Python): ✓
- SonarCloud: ✓ (0 new issues, 0 security hotspots)
- AgentShield: ✓
- Secret scan (gitleaks): ✓
- Dependency audit (npm): ✓
- Node.js tests: ✓
- Playwright UI tests: ✓
- Coverage: ✓
Reviewed automatically by the PR-review agent (single-reviewer). Reply if you need a human review.
donpetry-bot
dismissed
their stale review
Superseded by automated re-review at da50ea5.
Pull request was closed
Replace non-conforming workflow with the exact canonical stub from petry-projects/.github/standards/workflows/dependabot-rebase.yml. Changes: - Add missing `schedule` trigger (every 4h safety net) - Update comment to mention schedule trigger - Fix APP_ID comment to include contents:write permission Closes #256 Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
don-petry
force-pushed
the
claude/issue-256-20260508-1427
branch
from
d8d86f2 to
b5523e8
Compare
|
@dev-lead - please fix this PR |
|
Summary
dependabot-rebase.ymlwith the verbatim canonical stub frompetry-projects/.github/standards/workflows/dependabot-rebase.ymlscheduletrigger (0 */4 * * *) that serves as a safety net when no pushes tomainoccurscheduletrigger and corrects theAPP_IDpermission description to includecontents:writeCloses #256
Generated with Claude Code