Skip to content

ci(droid): allow Dependabot to trigger Droid Auto Review#174

Merged
EffortlessSteven merged 1 commit into
mainfrom
ci/droid-allow-dependabot-20260511
May 11, 2026
Merged

ci(droid): allow Dependabot to trigger Droid Auto Review#174
EffortlessSteven merged 1 commit into
mainfrom
ci/droid-allow-dependabot-20260511

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

Discovered when running the new BYOK Droid setup against the first real Dependabot PR (#160 assert_cmd 2.2.0 → 2.2.1): the droid-action-safe action rejects non-human actors by default with

Workflow initiated by non-human actor: dependabot (type: Bot).
Add bot to allowed_bots list or use '*' to allow all bots.

That caused every Dependabot rebase to fail the droid-review check — informational (Droid review failures do not block merge), but noisy in the PR check list and confusing during the live dep-queue drain.

This PR adds allowed_bots: dependabot[bot] to droid-review.yml so Dependabot dependency-bump PRs receive Droid Auto Review. The narrow allow-list is deliberate; adding more bots (or '*') should require an explicit follow-up PR.

Also updates docs/agent-context/review-invariants.md to document the rule, so a reviewer who later sees allowed_bots knows it is intentional and scoped.

Why allow rather than skip?

Dependency bumps are exactly the case where Droid review is valuable — a bump can introduce a vulnerable transitive dep, change behavior, or interact with our publish-path code. The alternative (skip-on-bot) saves a small amount of MiniMax tokens but loses that signal. Keeping the security review on Dependabot PRs is worth the spend.

Safety posture

  • Allow-list is narrow (dependabot[bot] only), not '*'.
  • Same-repo guard, trusted-actor guard, show_full_output: false, upload_debug_artifacts: false, pinned SHAs, and cancel-in-progress: false are unchanged.
  • The manual workflow (droid.yml) and scheduled scan (droid-security-scan.yml) are unchanged — they have their own author-association and trigger guards and do not need a bot allow-list.

Test plan

The droid-action-safe action rejects non-human actors by default with:
  Workflow initiated by non-human actor: dependabot (type: Bot).
  Add bot to allowed_bots list or use '*' to allow all bots.

This caused every Dependabot rebase to report a failed `droid-review`
check — informational but noisy and confusing in the PR check list.

Add `allowed_bots: dependabot[bot]` so Dependabot dependency-bump PRs
receive Droid Auto Review. The list is narrow on purpose; do not change
to `'*'`. Adding additional bots requires an explicit follow-up PR.

Discovered when running the BYOK setup against #160 (assert_cmd 2.2.0
→ 2.2.1) — the first real Dependabot PR after the workflows landed in
#172.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented May 11, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 55 minutes and 12 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9fd88b39-962f-4512-bd20-207f047b11e1

📥 Commits

Reviewing files that changed from the base of the PR and between aa7391f and 3635c75.

📒 Files selected for processing (2)
  • .github/workflows/droid-review.yml
  • docs/agent-context/review-invariants.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/droid-allow-dependabot-20260511

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@factory-droid

factory-droid Bot commented May 11, 2026

Copy link
Copy Markdown

Droid finished @EffortlessSteven's task —— View job


Droid review validation complete.

View validated results

Review Summary: No actionable findings emitted.

Inspected surfaces:

  • .github/workflows/droid-review.ymlallowed_bots: dependabot[bot] addition to the auto-review job
  • docs/agent-context/review-invariants.md — new invariant documenting allowed_bots scope and the '*' prohibition

Why no comments:

  • The diff is a pure CI/workflow configuration change; no source code touched
  • Both changes are syntactically correct and narrowly scoped
  • The allow-list is intentionally minimal (one bot identifier)
  • No publish-state, registry-truth, token-redaction, or safety-critical surfaces are affected

Residual risk:

  • None identified for this PR. The change is purely additive and scoped to the Droid Auto Review workflow.

@EffortlessSteven EffortlessSteven merged commit f4d7c1e into main May 11, 2026
20 checks passed
@EffortlessSteven EffortlessSteven deleted the ci/droid-allow-dependabot-20260511 branch May 11, 2026 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant