Skip to content

fix(dependabot-repair): authorize dependabot[bot] via on.bots#45411

Closed
pelikhan with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-dependabot-local-repair
Closed

fix(dependabot-repair): authorize dependabot[bot] via on.bots#45411
pelikhan with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-dependabot-local-repair

Conversation

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

dependabot-repair has shown 100% action_required since launch because dependabot[bot] was never being authorized correctly — every real Dependabot PR would fail check_membership and land in the conclusion job as action_required.

Root cause

Without on.bots: configured, check_membership.cjs skips the bot allowlist path and falls through to checkRepositoryPermission. dependabot[bot] is a GitHub App with no collaborator role (none), so it fails the required ["admin", "maintainer", "write"] check → insufficient_permissionsaction_required.

Fix

Added bots: ["dependabot[bot]"] to the on: section:

on:
  pull_request:
    types: [opened, synchronize, reopened]
  bots: ["dependabot[bot]"]

This sets GH_AW_ALLOWED_BOTS: "dependabot[bot]" in the compiled lock file, routing the actor through checkBotAllowlistAuthorizationcheckBotStatus (verifies installation on repo) → authorized_bot.

Context on observed noise

The action_required + skipped runs in the dashboard so far are entirely from Copilot PRs, not Dependabot — GitHub's pre-run approval mechanism fires before any jobs execute (0 jobs, 0s duration) for new actors. This is a repository policy concern, not fixable in workflow code. The code fix here unblocks actual Dependabot PRs when they arrive.

Without on.bots: configured, check_membership falls through to the
roles check for dependabot[bot]. Since GitHub App bots have no
collaborator role (none), this causes insufficient_permissions →
action_required in the conclusion job for every real Dependabot PR.

Adding bots: ["dependabot[bot]"] sets GH_AW_ALLOWED_BOTS which makes
check_membership use checkBotAllowlistAuthorization instead of the
roles path, correctly authorizing the bot via its active status on
the repository.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix Dependabot Local Repair workflow action required issue fix(dependabot-repair): authorize dependabot[bot] via on.bots Jul 14, 2026
Copilot AI requested a review from pelikhan July 14, 2026 09:13
@pelikhan

Copy link
Copy Markdown
Collaborator

@mnkiefer fyi

@mnkiefer

Copy link
Copy Markdown
Collaborator

@pelikhan These workflows are outdated. I will remove them now.

@pelikhan pelikhan closed this Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[aw] Dependabot Local Repair: 100% action_required since launch (Jul 13)

3 participants