Closed
fix(dependabot-repair): authorize dependabot[bot] via on.bots#45411
Conversation
Without on.bots: configured, check_membership falls through to the roles check for dependabot[bot]. Since GitHub App bots have no collaborator role (none), this causes insufficient_permissions → action_required in the conclusion job for every real Dependabot PR. Adding bots: ["dependabot[bot]"] sets GH_AW_ALLOWED_BOTS which makes check_membership use checkBotAllowlistAuthorization instead of the roles path, correctly authorizing the bot via its active status on the repository. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix Dependabot Local Repair workflow action required issue
fix(dependabot-repair): authorize dependabot[bot] via on.bots
Jul 14, 2026
Collaborator
|
@mnkiefer fyi |
Collaborator
|
@pelikhan These workflows are outdated. I will remove them now. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot-repairhas shown 100%action_requiredsince launch becausedependabot[bot]was never being authorized correctly — every real Dependabot PR would failcheck_membershipand land in theconclusionjob asaction_required.Root cause
Without
on.bots:configured,check_membership.cjsskips the bot allowlist path and falls through tocheckRepositoryPermission.dependabot[bot]is a GitHub App with no collaborator role (none), so it fails the required["admin", "maintainer", "write"]check →insufficient_permissions→action_required.Fix
Added
bots: ["dependabot[bot]"]to theon:section:This sets
GH_AW_ALLOWED_BOTS: "dependabot[bot]"in the compiled lock file, routing the actor throughcheckBotAllowlistAuthorization→checkBotStatus(verifies installation on repo) →authorized_bot.Context on observed noise
The
action_required+skippedruns in the dashboard so far are entirely from Copilot PRs, not Dependabot — GitHub's pre-run approval mechanism fires before any jobs execute (0 jobs, 0s duration) for new actors. This is a repository policy concern, not fixable in workflow code. The code fix here unblocks actual Dependabot PRs when they arrive.