fix(standards): correct SHA in dependabot-rebase template

[don-petry]

Summary

• The SHA 3c6335c6ee3e2f1a37f3e27e065e28d36d9c0dde in standards/workflows/dependabot-rebase.yml is a typo — it does not exist in this repo (returns 404 from the GitHub API)
• The correct full SHA for the fix(dependabot-rebase): fall back to @dependabot rebase commit is 3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1
• This was introduced in commit af3c1df when the SHA was bumped

Impact

All downstream repos that adopted the standard template (broodly, TalkTerm, google-app-scripts, markets, ContentTwin) currently reference @v1 tag or older SHAs. Open PRs in those repos that attempt to pin to 3c6335c6... will reference a non-existent commit and will fail when the workflow runs.

Test plan

• Verify 3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1 resolves correctly: gh api repos/petry-projects/.github/git/commits/3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1 --jq .message
• After merge, open PRs in downstream repos to adopt the corrected SHA

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated automated dependency management workflow configurations to use updated workflow references, improving the efficiency of dependency update processes.

[coderabbitai]

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 54 minutes and 43 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: bc3021bb-35ed-49e3-b3d7-7f54724d1588

📥 Commits

Reviewing files that changed from the base of the PR and between 46a97fc and 2fd6720.

📒 Files selected for processing (1)

• standards/workflows/dependabot-rebase.yml

📝 Walkthrough

Walkthrough

Updates the reusable workflow references in two dependabot-rebase workflow files: one transitions from an external pinned commit SHA to a local relative path reference, while the other updates to a different pinned commit SHA version.

Changes

Cohort / File(s)	Summary
Dependabot-rebase workflow reference (main repo) .github/workflows/dependabot-rebase.yml	Changed reusable workflow reference from external pinned commit (petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@f5c167c903...) to local relative path (./.github/workflows/dependabot-rebase-reusable.yml).
Dependabot-rebase workflow reference (standards) standards/workflows/dependabot-rebase.yml	Updated pinned commit SHA to 3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1 for the reusable workflow invocation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• feat(workflows): centralize standards via reusable workflows #87: Introduces and standardizes the dependabot-rebase reusable workflow and caller stubs that these changes reference.
• fix(dependabot): use correct ecosystem value github_actions (underscore) #138: Directly modifies the same .github/workflows/dependabot-rebase.yml caller configuration file.
• fix(dependabot-rebase): fall back to @dependabot rebase when update-branch is blocked by workflows permission #143: Updates the reusable workflow implementation that the caller changes invoke, affecting which fixes/behavior are used.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(standards): correct SHA in dependabot-rebase template' directly describes the main change: correcting a typoed SHA in the standards/workflows/dependabot-rebase.yml file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/standards-dependabot-rebase-sha

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the Dependabot rebase Tier-1 workflow references so downstream repos can pin a valid reusable-workflow commit, and adjusts this repo’s internal caller stub to use the local reusable workflow.

Changes:

• Update standards/workflows/dependabot-rebase.yml to point at commit 3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1.
• Change .github/workflows/dependabot-rebase.yml to call the local reusable workflow via ./.github/workflows/dependabot-rebase-reusable.yml.
• Revise the internal stub’s header comments to explain the local-ref behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
standards/workflows/dependabot-rebase.yml	Updates the pinned reusable-workflow ref used by downstream template adopters.
.github/workflows/dependabot-rebase.yml	Switches this repo’s caller stub to a local reusable reference and updates its guidance comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Outdated review (superseded by re-review at 129497d79a596756c5c786146221b9108af5561c) — click to expand.

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

• [major] PR is not mergeable (mergeStateStatus: DIRTY, mergeable: CONFLICTING). The branch must be rebased or the conflict resolved before merging.
• [minor] .github/workflows/dependabot-rebase.yml:46 — Switching from a pinned SHA to a local relative path (./) means future changes to the reusable workflow take effect immediately with no pinning safety net for this repo's own instance. This is intentional and well-commented, but worth noting as ongoing operational context.

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on main if the branch is behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[don-petry]

Outdated review (superseded by re-review at 129497d79a596756c5c786146221b9108af5561c) — click to expand.

Automated review — APPROVED

Risk: MEDIUM
Reviewed commit: 5a086dac2e408296a7fa1342bee053511ebbf989
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Two-file workflow fix: corrects a non-existent SHA in the standards template (now points to valid main HEAD 9a694e5, confirmed present in repo), and switches this repo's own caller stub to a local relative ref (appropriate for the source-of-truth repo). All CI checks pass, the reusable workflow file exists at the new pinned SHA, and no security anti-patterns are present.

Findings

Info

• info · .github/workflows/dependabot-rebase.yml:46 — .github/workflows/dependabot-rebase.yml now uses a local relative ref (./) instead of a pinned SHA. This is intentional and well-documented — this repo is the source of truth for the reusable workflow. The permissions block (contents: write, pull-requests: write) is unchanged.
• info · standards/workflows/dependabot-rebase.yml:47 — standards/workflows/dependabot-rebase.yml SHA bumped to 9a694e5 (labeled # main). Verified: commit exists and dependabot-rebase-reusable.yml is present at that ref. Note that 9a694e5 is a dependency-bump commit, not a workflow-logic commit — the label # main accurately describes intent (pin to current HEAD).
• info · merge-state — Prior review flagged CONFLICTING merge state. Current mergeStateStatus is UNKNOWN (GitHub reports UNKNOWN for recently pushed commits while it recalculates). Branch HEAD is 5a086da — the latest commit explicitly addresses the conflict from the prior review cycle.

CI status

All CI checks pass (ci-green · sha-verified · conflicts-resolved · no-security-antipatterns).

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[petry-projects-pr-review-agent]

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[donpetry-bot]

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[don-petry]

@claude Please address all open review comments on this PR from CodeRabbit and Copilot.

[claude]

Claude finished @don-petry's task in 2m 58s —— View job

---

Addressing Copilot review comments

• Read current file state and standards
• Analyze open Copilot comments
• Fix standards/workflows/dependabot-rebase.yml — document SHA-pin rationale and clarify adoption guidance
• Note limitation on .github/workflows/dependabot-rebase.yml (cannot modify)
• Commit and push changes

---

What was done

Commit c42017f — standards/workflows/dependabot-rebase.yml

Two changes to address the Copilot comments:

1. SHA-pin vs @v1 label (Copilot comment 1): Added a new bullet in the AGENTS block explaining that no semver tags are maintained for this internal reusable workflow, so SHA pinning is intentional — it's not a violation of the @v1 guidance in ci-standards.md (which applies to external actions). Includes the lookup command for getting the current SHA.

2. Adoption guidance (Copilot comment 3, partial): Updated the "To adopt" comment to explicitly name standards/workflows/dependabot-rebase.yml as the file to copy, with a warning not to copy .github/workflows/dependabot-rebase.yml (which uses a local ref only valid in the source-of-truth repo).

What could not be done

• .github/workflows/dependabot-rebase.yml line 23 (Copilot comment 3, full fix): The "To adopt: copy this file…" line in the .github/workflows/ version is still misleading. I cannot modify files in .github/workflows/ — GitHub App permissions do not allow workflow file modifications. The fix in standards/workflows/dependabot-rebase.yml mitigates this by being explicit in the template that downstream repos copy.

• PR description reconciliation (Copilot comment 2): The PR description references 3c6335c6… as the non-existent SHA, but the actual diff was f5c167c9… → 3c6335c0… (the description became stale across multiple fix iterations). This is a PR description accuracy issue — not fixable in code. The file itself is correct.
  | Branch

[don-petry]

@claude This PR has 3 unresolved Copilot review threads from 2026-04-17 (predating the claude.yml comment-trigger), plus the branch is now dirty (merge conflicts with main). Please:

1. Rebase the branch onto current main and resolve conflicts.
2. Address the unresolved threads in standards/workflows/dependabot-rebase.yml:
   • discussion_r3097935815: standard says Tier-1 stubs use ...@v1, but this template is SHA-pinned with a # v1 comment. Either switch back to @v1 or document this as an intentional SHA-pinned exception (and remove the # v1 label if it isn't actually the tag).
   • discussion_r3097935836: PR description claims the typo SHA is 3c6335c6…, but the diff is f5c167c9… → 3c6335c0…. Update the PR description so it matches the actual before/after state.
   • discussion_r3097935853 (header in .github/workflows/dependabot-rebase.yml): the header still says "To adopt: copy this file…" but a downstream repo copying it would not have the local reusable workflow path. Direct downstream repos to copy standards/workflows/dependabot-rebase.yml instead.
3. Push, then resolve the threads.

---

Generated by Claude Code

[claude]

Claude finished @don-petry's task in 8m 50s —— View job

---

Addressing PR conflicts and Copilot review threads

• Read current file state and gather context
• Address discussion_r3097935815 — SHA-pin documentation already in place from c42017f ✓
• Address discussion_r3097935836 — see notes below (gh approval required)
• Address discussion_r3097935853 — standards file adoption guidance already correct from c42017f ✓; .github/workflows/ line 23 blocked by workflow file permissions
• Incorporate schedule trigger from main into standards template — pushed as 129497d
• Merge/rebase onto main — blocked (requires approval)

---

What was done

Commit 129497d — standards/workflows/dependabot-rebase.yml

The branch had drifted from main on two points (both caused by the branch forking before those changes landed on main):

1. Missing schedule: cron '0 */4 * * *' trigger — main added the 4-hour safety-net schedule after the branch forked. Restored.
2. Shortened AGENTS MUST NOT comment — main's version documents why none of the triggers should be removed. Restored (fuller wording).

All prior branch improvements are preserved: SHA-pin rationale, # main label, explicit adoption guidance (Do NOT copy .github/workflows/...), contents: write permission.

---

What requires manual action

1. Resolve the merge conflict (git rebase/merge not approved)

The branch and main still have overlapping edits to two files that git cannot auto-merge:

File	Branch change	Main change	Conflict region
standards/workflows/dependabot-rebase.yml	Updated AGENTS block, SHA, removed schedule	Added schedule, different AGENTS block	AGENTS comment + triggers section
.github/workflows/dependabot-rebase.yml	Switched to local ref, shortened AGENTS block	Added schedule, fuller AGENTS block	AGENTS comment + triggers section

To resolve locally:

git fetch origin
git rebase origin/main
# resolve conflicts in both files, then:
git add .
git rebase --continue
git push --force-with-lease

Or use the "Update branch" button on the PR if GitHub offers a merge strategy.

2. Fix PR description (discussion_r3097935836)

gh pr edit was not approved. Please update the PR description in the GitHub UI to clarify: the typo SHA 3c6335c6… was in the PR description, not the file. The file change was f5c167c9… → 3c6335c0a2… → 9a694e57… (current main). The description should reflect this actual before/after.

3. .github/workflows/dependabot-rebase.yml line 23 (discussion_r3097935853)

The line # To adopt: copy this file to .github/workflows/dependabot-rebase.yml in your repo. is still present — identical on both the branch and main. It should read: # To adopt: copy standards/workflows/dependabot-rebase.yml instead. However, pushing changes to .github/workflows/ is blocked by GitHub App permissions (the workflows permission is not granted). This requires a human to push directly or use a PAT.

---

| Branch

[donpetry-bot]

Review — fix requested (cycle 3/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

1. Resolve all unresolved review thread comments from other reviewers
2. Ensure all CI checks pass after your changes
3. Rebase on the target branch if behind
4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

[donpetry-bot]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

[don-petry]

@dev-lead - please fix this PR

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud