ci(droid): allow Dependabot to trigger Droid Auto Review#174
Conversation
The droid-action-safe action rejects non-human actors by default with: Workflow initiated by non-human actor: dependabot (type: Bot). Add bot to allowed_bots list or use '*' to allow all bots. This caused every Dependabot rebase to report a failed `droid-review` check — informational but noisy and confusing in the PR check list. Add `allowed_bots: dependabot[bot]` so Dependabot dependency-bump PRs receive Droid Auto Review. The list is narrow on purpose; do not change to `'*'`. Adding additional bots requires an explicit follow-up PR. Discovered when running the BYOK setup against #160 (assert_cmd 2.2.0 → 2.2.1) — the first real Dependabot PR after the workflows landed in #172.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Droid finished @EffortlessSteven's task —— View job Droid review validation complete. Review Summary: No actionable findings emitted. Inspected surfaces:
Why no comments:
Residual risk:
|
Summary
Discovered when running the new BYOK Droid setup against the first real Dependabot PR (#160 assert_cmd 2.2.0 → 2.2.1): the
droid-action-safeaction rejects non-human actors by default withThat caused every Dependabot rebase to fail the
droid-reviewcheck — informational (Droid review failures do not block merge), but noisy in the PR check list and confusing during the live dep-queue drain.This PR adds
allowed_bots: dependabot[bot]todroid-review.ymlso Dependabot dependency-bump PRs receive Droid Auto Review. The narrow allow-list is deliberate; adding more bots (or'*') should require an explicit follow-up PR.Also updates
docs/agent-context/review-invariants.mdto document the rule, so a reviewer who later seesallowed_botsknows it is intentional and scoped.Why allow rather than skip?
Dependency bumps are exactly the case where Droid review is valuable — a bump can introduce a vulnerable transitive dep, change behavior, or interact with our publish-path code. The alternative (skip-on-bot) saves a small amount of MiniMax tokens but loses that signal. Keeping the security review on Dependabot PRs is worth the spend.
Safety posture
dependabot[bot]only), not'*'.show_full_output: false,upload_debug_artifacts: false, pinned SHAs, andcancel-in-progress: falseare unchanged.droid.yml) and scheduled scan (droid-security-scan.yml) are unchanged — they have their own author-association and trigger guards and do not need a bot allow-list.Test plan
@dependabot rebaseon deps(deps): bump assert_cmd from 2.2.0 to 2.2.2 in the dev-deps group across 1 directory #160 to pick up the new workflow.non-human actorprepare-step failure).