Simplify: use github.token for all branch updates#14
Merged
Conversation
Trigger a Dependabot rebase when mergeStateStatus is UNKNOWN in addition to BEHIND, matching the behaviour in github-actions-help. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Dependabot only accepts commands from accounts with push access. The Jeeves app token is not recognised as such in all repos, causing "Sorry, only users with push access can use that command". Use the vanilla github.token (github-actions[bot]) for the comment so Dependabot accepts it, while keeping the Jeeves token for gh pr update-branch on non-Dependabot PRs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
maansaake
changed the title
Dependabot checks the author_association of comments and only accepts commands from OWNER, MEMBER, or COLLABORATOR. Both github-actions[bot] and GitHub App bots get author_association NONE, so their comments are rejected. Use a PAT from a user with write access (stored as DEPENDABOT_REBASE_TOKEN) so comments are posted as that user and Dependabot accepts them. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
maansaake
changed the title
Posting @dependabot rebase comments requires OWNER/MEMBER/COLLABORATOR author_association, which GitHub App bots cannot have (GitHub rejects adding bot accounts as collaborators). Instead, use github.token (github-actions[bot]) to call update-branch for Dependabot PRs. This separates the pusher (github-actions[bot]) from the approver (mr-jeeves[bot]), so GitHub does not block Jeeves from approving the resulting synchronize event. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The Jeeves app token was only needed to comment @dependabot rebase on Dependabot PRs, but GitHub App bots cannot be repository collaborators so Dependabot always rejected those comments. The solution was to use github.token (github-actions[bot]) for the update-branch call instead. Since all PRs now use the same token and the same mechanism, there is no need to distinguish by author or to generate a Jeeves app token at all. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
maansaake
changed the title
Use Jeeves app token (actions/create-github-app-token) instead of github.token so that the rebase push triggers downstream workflows. Branch updates are performed with gh pr update-branch --rebase via CLI, not by commenting on the PR. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Remove the Jeeves app token step entirely. Since
github-actions[bot]now handles all branch updates (Dependabot and non-Dependabot alike), the app token was serving no purpose.The simplified workflow:
actions/create-github-app-tokenstepgh pr update-branch --rebaseloop usinggithub.token