From 3556bc2a9c7adbb321a7eb4edeea6654f3c44667 Mon Sep 17 00:00:00 2001 From: GitHub Copilot Date: Sun, 31 May 2026 21:53:09 +0200 Subject: [PATCH 1/7] Handle UNKNOWN merge state for Dependabot PRs Trigger a Dependabot rebase when mergeStateStatus is UNKNOWN in addition to BEHIND, matching the behaviour in github-actions-help. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/auto-update-pr-branches.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/auto-update-pr-branches.yaml b/.github/workflows/auto-update-pr-branches.yaml index 1b9535c..13f5ad2 100644 --- a/.github/workflows/auto-update-pr-branches.yaml +++ b/.github/workflows/auto-update-pr-branches.yaml @@ -41,6 +41,9 @@ jobs: if [ "$merge_state" = "BEHIND" ]; then echo "PR #$pr is behind main, triggering Dependabot rebase" gh pr comment --repo "${{ github.repository }}" "$pr" --body "@dependabot rebase" || true + elif [ "$merge_state" = "UNKNOWN" ]; then + echo "PR #$pr state UNKNOWN, triggering Dependabot rebase anyway to be safe" + gh pr comment --repo "${{ github.repository }}" "$pr" --body "@dependabot rebase" || true else echo "PR #$pr merge state is '$merge_state', no update needed" fi From ca3ffac7dfa0a0d9bb6019fef022a7faf639180d Mon Sep 17 00:00:00 2001 From: GitHub Copilot Date: Sun, 31 May 2026 21:57:46 +0200 Subject: [PATCH 2/7] Use GITHUB_TOKEN when posting Dependabot rebase comments Dependabot only accepts commands from accounts with push access. The Jeeves app token is not recognised as such in all repos, causing "Sorry, only users with push access can use that command". Use the vanilla github.token (github-actions[bot]) for the comment so Dependabot accepts it, while keeping the Jeeves token for gh pr update-branch on non-Dependabot PRs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/auto-update-pr-branches.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/auto-update-pr-branches.yaml b/.github/workflows/auto-update-pr-branches.yaml index 13f5ad2..640490c 100644 --- a/.github/workflows/auto-update-pr-branches.yaml +++ b/.github/workflows/auto-update-pr-branches.yaml @@ -26,6 +26,7 @@ jobs: - name: Update out-of-date PR branches env: GH_TOKEN: ${{ steps.app-token.outputs.token }} + VANILLA_GH_TOKEN: ${{ github.token }} run: | gh pr list --repo "${{ github.repository }}" --base main --state open --json number,author \ --jq '.[] | "\(.number) \(.author.login)"' | \ @@ -40,10 +41,10 @@ jobs: --json mergeStateStatus --jq '.mergeStateStatus' 2>/dev/null || echo "ERROR") if [ "$merge_state" = "BEHIND" ]; then echo "PR #$pr is behind main, triggering Dependabot rebase" - gh pr comment --repo "${{ github.repository }}" "$pr" --body "@dependabot rebase" || true + GH_TOKEN="$VANILLA_GH_TOKEN" gh pr comment --repo "${{ github.repository }}" "$pr" --body "@dependabot rebase" || true elif [ "$merge_state" = "UNKNOWN" ]; then echo "PR #$pr state UNKNOWN, triggering Dependabot rebase anyway to be safe" - gh pr comment --repo "${{ github.repository }}" "$pr" --body "@dependabot rebase" || true + GH_TOKEN="$VANILLA_GH_TOKEN" gh pr comment --repo "${{ github.repository }}" "$pr" --body "@dependabot rebase" || true else echo "PR #$pr merge state is '$merge_state', no update needed" fi From 82bc8b59d32f45605742c6df4b5931e2d7dc8d0c Mon Sep 17 00:00:00 2001 From: GitHub Copilot Date: Sun, 31 May 2026 22:04:33 +0200 Subject: [PATCH 3/7] Use DEPENDABOT_REBASE_TOKEN (PAT) for Dependabot rebase comments Dependabot checks the author_association of comments and only accepts commands from OWNER, MEMBER, or COLLABORATOR. Both github-actions[bot] and GitHub App bots get author_association NONE, so their comments are rejected. Use a PAT from a user with write access (stored as DEPENDABOT_REBASE_TOKEN) so comments are posted as that user and Dependabot accepts them. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/auto-update-pr-branches.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/auto-update-pr-branches.yaml b/.github/workflows/auto-update-pr-branches.yaml index 640490c..a6cb4c0 100644 --- a/.github/workflows/auto-update-pr-branches.yaml +++ b/.github/workflows/auto-update-pr-branches.yaml @@ -26,7 +26,7 @@ jobs: - name: Update out-of-date PR branches env: GH_TOKEN: ${{ steps.app-token.outputs.token }} - VANILLA_GH_TOKEN: ${{ github.token }} + DEPENDABOT_REBASE_TOKEN: ${{ secrets.DEPENDABOT_REBASE_TOKEN }} run: | gh pr list --repo "${{ github.repository }}" --base main --state open --json number,author \ --jq '.[] | "\(.number) \(.author.login)"' | \ @@ -41,10 +41,10 @@ jobs: --json mergeStateStatus --jq '.mergeStateStatus' 2>/dev/null || echo "ERROR") if [ "$merge_state" = "BEHIND" ]; then echo "PR #$pr is behind main, triggering Dependabot rebase" - GH_TOKEN="$VANILLA_GH_TOKEN" gh pr comment --repo "${{ github.repository }}" "$pr" --body "@dependabot rebase" || true + GH_TOKEN="$DEPENDABOT_REBASE_TOKEN" gh pr comment --repo "${{ github.repository }}" "$pr" --body "@dependabot rebase" || true elif [ "$merge_state" = "UNKNOWN" ]; then echo "PR #$pr state UNKNOWN, triggering Dependabot rebase anyway to be safe" - GH_TOKEN="$VANILLA_GH_TOKEN" gh pr comment --repo "${{ github.repository }}" "$pr" --body "@dependabot rebase" || true + GH_TOKEN="$DEPENDABOT_REBASE_TOKEN" gh pr comment --repo "${{ github.repository }}" "$pr" --body "@dependabot rebase" || true else echo "PR #$pr merge state is '$merge_state', no update needed" fi From 08296403e65c3a9348d251046b2e2ab528486688 Mon Sep 17 00:00:00 2001 From: GitHub Copilot Date: Sun, 31 May 2026 22:13:04 +0200 Subject: [PATCH 4/7] Use github-actions[bot] to rebase Dependabot PRs Posting @dependabot rebase comments requires OWNER/MEMBER/COLLABORATOR author_association, which GitHub App bots cannot have (GitHub rejects adding bot accounts as collaborators). Instead, use github.token (github-actions[bot]) to call update-branch for Dependabot PRs. This separates the pusher (github-actions[bot]) from the approver (mr-jeeves[bot]), so GitHub does not block Jeeves from approving the resulting synchronize event. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../workflows/auto-update-pr-branches.yaml | 20 ++++++++----------- 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/.github/workflows/auto-update-pr-branches.yaml b/.github/workflows/auto-update-pr-branches.yaml index a6cb4c0..d961ad4 100644 --- a/.github/workflows/auto-update-pr-branches.yaml +++ b/.github/workflows/auto-update-pr-branches.yaml @@ -26,29 +26,25 @@ jobs: - name: Update out-of-date PR branches env: GH_TOKEN: ${{ steps.app-token.outputs.token }} - DEPENDABOT_REBASE_TOKEN: ${{ secrets.DEPENDABOT_REBASE_TOKEN }} + UPDATE_BRANCH_TOKEN: ${{ github.token }} run: | gh pr list --repo "${{ github.repository }}" --base main --state open --json number,author \ --jq '.[] | "\(.number) \(.author.login)"' | \ while IFS=' ' read -r pr author; do echo "Checking PR #$pr (author: $author)..." if [ "$author" = "app/dependabot" ]; then - # Trigger Dependabot to rebase its own branch rather than pushing directly with - # the Jeeves bot token. If Jeeves pushes, dependabot/fetch-metadata fails with - # "PR is not from Dependabot" on the resulting synchronize event, which prevents - # Jeeves from re-approving and re-enabling auto-merge on that PR. + # Use github.token (github-actions[bot]) rather than the Jeeves token so that + # Jeeves (mr-jeeves[bot]) remains free to approve the resulting synchronize event. + # GitHub blocks a bot from approving commits it pushed itself. merge_state=$(gh pr view "$pr" --repo "${{ github.repository }}" \ --json mergeStateStatus --jq '.mergeStateStatus' 2>/dev/null || echo "ERROR") - if [ "$merge_state" = "BEHIND" ]; then - echo "PR #$pr is behind main, triggering Dependabot rebase" - GH_TOKEN="$DEPENDABOT_REBASE_TOKEN" gh pr comment --repo "${{ github.repository }}" "$pr" --body "@dependabot rebase" || true - elif [ "$merge_state" = "UNKNOWN" ]; then - echo "PR #$pr state UNKNOWN, triggering Dependabot rebase anyway to be safe" - GH_TOKEN="$DEPENDABOT_REBASE_TOKEN" gh pr comment --repo "${{ github.repository }}" "$pr" --body "@dependabot rebase" || true + if [ "$merge_state" = "BEHIND" ] || [ "$merge_state" = "UNKNOWN" ]; then + echo "PR #$pr merge state is '$merge_state', rebasing via github-actions[bot]" + GH_TOKEN="$UPDATE_BRANCH_TOKEN" gh pr update-branch --rebase --repo "${{ github.repository }}" "$pr" || true else echo "PR #$pr merge state is '$merge_state', no update needed" fi - else + else gh pr update-branch --rebase --repo "${{ github.repository }}" "$pr" || true fi done From a793eed6da670f0c78066b98a1ebafed064b71f6 Mon Sep 17 00:00:00 2001 From: GitHub Copilot Date: Sun, 31 May 2026 22:13:47 +0200 Subject: [PATCH 5/7] Fix indentation in auto-update-pr-branches workflow Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/auto-update-pr-branches.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-update-pr-branches.yaml b/.github/workflows/auto-update-pr-branches.yaml index d961ad4..8f1d991 100644 --- a/.github/workflows/auto-update-pr-branches.yaml +++ b/.github/workflows/auto-update-pr-branches.yaml @@ -44,7 +44,7 @@ jobs: else echo "PR #$pr merge state is '$merge_state', no update needed" fi - else + else gh pr update-branch --rebase --repo "${{ github.repository }}" "$pr" || true fi done From 80591681b409430510822fc901e8df48b694b5ab Mon Sep 17 00:00:00 2001 From: GitHub Copilot Date: Sun, 31 May 2026 22:15:56 +0200 Subject: [PATCH 6/7] Simplify: use github.token for all branch updates The Jeeves app token was only needed to comment @dependabot rebase on Dependabot PRs, but GitHub App bots cannot be repository collaborators so Dependabot always rejected those comments. The solution was to use github.token (github-actions[bot]) for the update-branch call instead. Since all PRs now use the same token and the same mechanism, there is no need to distinguish by author or to generate a Jeeves app token at all. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../workflows/auto-update-pr-branches.yaml | 34 ++++--------------- 1 file changed, 6 insertions(+), 28 deletions(-) diff --git a/.github/workflows/auto-update-pr-branches.yaml b/.github/workflows/auto-update-pr-branches.yaml index 8f1d991..a062dc9 100644 --- a/.github/workflows/auto-update-pr-branches.yaml +++ b/.github/workflows/auto-update-pr-branches.yaml @@ -16,35 +16,13 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'trebent/envparser' steps: - - name: Generate GitHub App token - id: app-token - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 - with: - client-id: ${{ secrets.JEEVES_APP_ID }} - private-key: ${{ secrets.JEEVES_APP_PRIVATE_KEY }} - - name: Update out-of-date PR branches env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} - UPDATE_BRANCH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ github.token }} run: | - gh pr list --repo "${{ github.repository }}" --base main --state open --json number,author \ - --jq '.[] | "\(.number) \(.author.login)"' | \ - while IFS=' ' read -r pr author; do - echo "Checking PR #$pr (author: $author)..." - if [ "$author" = "app/dependabot" ]; then - # Use github.token (github-actions[bot]) rather than the Jeeves token so that - # Jeeves (mr-jeeves[bot]) remains free to approve the resulting synchronize event. - # GitHub blocks a bot from approving commits it pushed itself. - merge_state=$(gh pr view "$pr" --repo "${{ github.repository }}" \ - --json mergeStateStatus --jq '.mergeStateStatus' 2>/dev/null || echo "ERROR") - if [ "$merge_state" = "BEHIND" ] || [ "$merge_state" = "UNKNOWN" ]; then - echo "PR #$pr merge state is '$merge_state', rebasing via github-actions[bot]" - GH_TOKEN="$UPDATE_BRANCH_TOKEN" gh pr update-branch --rebase --repo "${{ github.repository }}" "$pr" || true - else - echo "PR #$pr merge state is '$merge_state', no update needed" - fi - else - gh pr update-branch --rebase --repo "${{ github.repository }}" "$pr" || true - fi + gh pr list --repo "${{ github.repository }}" --base main --state open --json number \ + --jq '.[].number' | \ + while read -r pr; do + echo "Updating PR #$pr..." + gh pr update-branch --rebase --repo "${{ github.repository }}" "$pr" || true done From defb8588c8bb3b1ed15f74279c2994e7e7983a5d Mon Sep 17 00:00:00 2001 From: GitHub Copilot Date: Sun, 31 May 2026 22:21:25 +0200 Subject: [PATCH 7/7] chore: use jeeves token for gh pr update-branch rebase Use Jeeves app token (actions/create-github-app-token) instead of github.token so that the rebase push triggers downstream workflows. Branch updates are performed with gh pr update-branch --rebase via CLI, not by commenting on the PR. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/auto-update-pr-branches.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/auto-update-pr-branches.yaml b/.github/workflows/auto-update-pr-branches.yaml index a062dc9..4528c32 100644 --- a/.github/workflows/auto-update-pr-branches.yaml +++ b/.github/workflows/auto-update-pr-branches.yaml @@ -16,9 +16,15 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'trebent/envparser' steps: + - name: Generate Jeeves app token + id: jeeves-token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.JEEVES_APP_ID }} + private-key: ${{ secrets.JEEVES_APP_PRIVATE_KEY }} - name: Update out-of-date PR branches env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ steps.jeeves-token.outputs.token }} run: | gh pr list --repo "${{ github.repository }}" --base main --state open --json number \ --jq '.[].number' | \