fix: skip SonarCloud on Dependabot PRs, remove CodeRabbit, limit Dependabot to minor/patch#45
Conversation
…ndabot to minor/patch - SonarCloud workflow: add if guard to skip Dependabot fork PRs. SONAR_TOKEN isn't available to fork PRs, causing 'Not authorized' failures on all 5 Dependabot PRs (#39-#43). - Remove .coderabbit.yaml — CodeRabbit not needed. - Dependabot: restrict to semver-minor and semver-patch updates only. Major bumps (TypeScript 6, @ai-sdk/openai 4) break types/APIs and require manual migration.
|
Warning Review limit reached
More reviews will be available in 33 minutes and 32 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
 |
|
Overall Grade |
Security Reliability Complexity Hygiene |
Code Review Summary
| Analyzer | Status | Updated (UTC) | Details |
|---|---|---|---|
| JavaScript |  |
Jun 28, 2026 4:28p.m. | Review ↗ |
| Secrets | |
Jun 28, 2026 4:28p.m. | Review ↗ |
Important
AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.
|
There was a problem hiding this comment.
Pull request overview
This PR adjusts CI/dependency automation to avoid Dependabot PR check failures by skipping SonarCloud when secrets aren’t available, removes the CodeRabbit configuration, and constrains Dependabot version updates to minor/patch to reduce breaking upgrade PRs.
Changes:
- Skip the SonarCloud job on
dependabot/*pull requests to prevent unauthorized scan failures. - Limit Dependabot version update PRs to semver minor/patch only.
- Remove
.coderabbit.yamlfrom the repository.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/sonarcloud.yml |
Adds a job-level condition to skip SonarCloud on Dependabot PRs. |
.github/dependabot.yml |
Restricts Dependabot updates to minor/patch releases. |
.coderabbit.yaml |
Removes CodeRabbit configuration file. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Skip on Dependabot PRs — SONAR_TOKEN isn't available to fork PRs, | ||
| # causing "Not authorized" failures. Dependabot branches are forks. | ||
| if: github.event_name != 'pull_request' || !startsWith(github.head_ref, 'dependabot/') |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 96ed92168b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # Only minor and patch updates by default — major bumps require manual | ||
| # review since they often break types or APIs (e.g. TypeScript 6 removed | ||
| # implicit Bun globals, @ai-sdk/openai 4 changed LanguageModel type). | ||
| update-types: |
There was a problem hiding this comment.
GitHub's Dependabot options reference documents update-types only as a parameter of allow, ignore, or groups, not as a package-ecosystem update key (https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#update-types--allow). With this indentation, Dependabot treats the npm update block as having an unsupported extra update-types property and won't process version updates, so the intended minor/patch-only policy disables this Dependabot config instead; put this under an allow rule or ignore version-update:semver-major for dependency-name: "*".
Useful? React with 👍 / 👎.
Description
Fixes the root cause of check failures across all 5 Dependabot PRs (#39-#43), removes CodeRabbit, and prevents future breaking major-bump PRs from Dependabot.
Type of Change
Root Cause Analysis
SonarCloud fails on ALL Dependabot PRs
SONAR_TOKENis a repo secret, but Dependabot PRs run from fork branches. GitHub doesn't expose secrets to fork PRs, so the SonarCloud scan runs with an empty token →Not authorized or project not found→ exit code 3. This caused SonarCloud to fail on all 5 Dependabot PRs.Fix: Added
if: github.event_name != 'pull_request' || !startsWith(github.head_ref, 'dependabot/')guard to skip SonarCloud on Dependabot PRs.PR #39 (TypeScript 6.0.3) — check fails
TS2868: Cannot find name 'Bun'andTS2307: Cannot find module 'bun:sqlite'. TypeScript 6 removed implicit Bun global types. Breaking major bump requiring manual migration. Closed.PR #43 (@ai-sdk/openai 4.0.2) — check fails
TS2322: Type 'LanguageModelV4' is not assignable to type 'LanguageModel'. AI SDK v4 introduced incompatible type system. Breaking major bump. Closed.Changes
.coderabbit.yaml(not needed)semver-minorandsemver-patchupdates only (major bumps require manual migration)Checklist
bun run typecheckand it passesbun run testand all tests passbun run buildand it succeedsbun run format:checkand it passesTesting
No code changes — only CI config. Pre-commit and pre-push hooks passed.
Related Issues
Fixes check failures on PRs #39, #40, #41, #42, #43
Changelog Entry
Fixed: SonarCloud skipped on Dependabot fork PRs (SONAR_TOKEN unavailable). Removed CodeRabbit. Dependabot limited to minor/patch updates.
Contributor Credit
N/A