ENG-3223: Document GitHub permission update for Dependabot alerts

[ian-oneleet]

Problem

https://linear.app/oneleet/issue/ENG-3223/lightdash-dependabot-monitor-shows-no-applicable-assets

Our GitHub app doesn't have permission to read Dependabot alerts.

Solution

Document this update. We'll send an email notification after this is merged.

Summary by CodeRabbit

• Documentation
  • GitHub integration docs updated with a 2025-08-14 entry introducing monitoring of Dependabot vulnerability alerts.
  • Added new required GitHub permission: Read access to “Dependabot alerts.”
  • Updated setup instructions to enable Dependabot alert monitoring in Oneleet.
  • Notes that monitored scope shifts from user access reviews to Dependabot alerts while retaining the 2025-07-10 entry about Members permission.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
oneleet-docs	✅ Ready	Preview	Comment	Aug 14, 2025 5:12pm

[coderabbitai]

Walkthrough

Adds a 2025-08-14 entry to the GitHub integration docs to start monitoring Dependabot vulnerability alerts, requires Read access to "Dependabot alerts", and updates the Action required text; the prior 2025-07-10 Members-permission entry remains.

Changes

Cohort / File(s)	Summary of changes
Docs: GitHub integration updates pages/integrations/github.mdx	Added 2025-08-14 update entry; changed monitored scope to Dependabot vulnerability alerts; introduced required "Read: Dependabot alerts" permission; updated Action required text to enable Dependabot alert monitoring; retained 2025-07-10 entry about Members permission.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant GitHub
  participant Oneleet

  User->>GitHub: Enable Dependabot alerts on repo
  GitHub->>Oneleet: Emit Dependabot vulnerability alerts (with read permission)
  Oneleet->>Oneleet: Monitor and process Dependabot alerts
  Oneleet->>User: Notify/action based on alerts

Loading

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A whisk of ears, a merge so bright,
Docs now watch alerts through the night.
Dependabot hums, "Please read me true,"
The rabbit hops in, permissions anew.
Carrots aligned, safer code in view 🥕✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ian/eng-3223-github-dependabot-no-assets

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

pages/integrations/github.mdx (3)

51-58: Clarify permission scope and add a prerequisite note for Dependabot alerts.

The permission is a repository-level GitHub App permission. Consider clarifying that and adding a short prerequisite note so admins know to enable Dependabot alerts on their org/repos.

Apply this diff to tighten the wording and add the note:

-We're updating our GitHub integration to monitor Dependabot vulnerability alerts. As part of this change, we will soon require the following **additional permissions**:
+We're updating our GitHub integration to monitor Dependabot vulnerability alerts. As part of this change, we will soon require the following **additional permissions**:

-- Read access to **"Dependabot alerts"**
+- Repository permission: Read access to **"Dependabot alerts"**
+
+> Note: Ensure Dependabot alerts are enabled for your organization and the repositories you intend to monitor.

Follow-up: Also consider updating:

• “Which permissions does Oneleet require?” to include “Dependabot alerts: Read-only”.
• “Which resources does Oneleet monitor?” to mention Dependabot vulnerability alerts.

---

59-61: Make “Action required” actionable with explicit approval steps and org-scope note.

Add concrete steps and clarify who can approve, plus repo selection nuances.

Apply this diff to expand the instructions:

-You should have received a GitHub notification prompting you to accept new permissions for the **Oneleet** app. Please accept the permissions to enable Dependabot alert monitoring on Oneleet.
+You should have received a GitHub notification prompting you to accept new permissions for the **Oneleet** app. Please accept the permissions to enable Dependabot alert monitoring on Oneleet.
+
+Alternatively, you can approve the permission via your GitHub organization settings:
+
+1. Go to Organization Settings → Installed GitHub Apps → Oneleet → Review permissions.
+2. Approve “Dependabot alerts: Read-only”.
+3. If the app is installed on selected repositories (not “All repositories”), ensure the repositories you want to monitor are included.
+
+Note: Only organization owners (or admins with the necessary privileges) can approve updated app permissions.

---

50-51: Order updates in reverse chronological order.

Place the 2025-08-14 entry above 2025-07-10 to keep the latest change first, matching common changelog conventions.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Knowledge Base: Disabled due to Reviews > Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between c79efc9 and 6e86b50.

📒 Files selected for processing (1)

• pages/integrations/github.mdx (1 hunks)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

pages/integrations/github.mdx (3)

43-46: Clarify the exact permission label/scope to match GitHub UI

To reduce ambiguity for admins approving the change, reference the GitHub UI section where this lives.

Apply this diff to clarify:

-We're updating our GitHub integration to monitor Dependabot vulnerability alerts. As part of this change, we will soon require the following **additional permissions**:
+We're updating our GitHub integration to monitor Dependabot vulnerability alerts. As part of this change, we will soon require the following **additional permissions**:
 
-- Read access to **"Dependabot alerts"**
+- Read access to **Dependabot alerts** (Repository permissions)

---

47-50: Make the action steps explicit (who approves and where to click)

Admins often miss where to accept updated permissions. Brief, explicit steps will cut support tickets.

Apply this diff to expand the instructions:

-You should have received a GitHub notification prompting you to accept new permissions for the **Oneleet** app. Please accept the permissions to enable Dependabot alert monitoring on Oneleet.
+You should have received a GitHub notification prompting you to accept new permissions for the **Oneleet** app. Please accept the permissions to enable Dependabot alert monitoring on Oneleet.
+
+If you don’t see a notification:
+- Organization owners can go to GitHub: Settings → Installed GitHub Apps → Oneleet
+  (or visit https://github.com/organizations/YOUR-ORG/settings/installations), click **Review permissions**, and grant Read access to Dependabot alerts.
+Note: Only organization owners can approve updated app permissions.

---

41-46: Add a note to ensure Dependabot alerts are enabled on the org/repos

Even with the permission granted, no data will appear if alerts are disabled at org/repo level.

Apply this diff to add a short note:

 We're updating our GitHub integration to monitor Dependabot vulnerability alerts. As part of this change, we will soon require the following **additional permissions**:
 
 - Read access to **"Dependabot alerts"**
+
+Note: Ensure Dependabot alerts are enabled for your organization and repositories (GitHub → Settings → Code security and analysis). See GitHub docs: https://docs.github.com/en/code-security/dependabot/dependabot-alerts

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Knowledge Base: Disabled due to Reviews > Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 6e86b50 and 3bfef65.

📒 Files selected for processing (1)

• pages/integrations/github.mdx (1 hunks)

🔇 Additional comments (2)

pages/integrations/github.mdx (2)

39-50: Good addition: clear change log entry for Dependabot alerts permission

The update is concise and mirrors the previous entry format. Nice consistency.

---

39-50: Plan for syncing the top-level permissions list post-rollout

Once this permission is fully rolled out, the “Which permissions does Oneleet require?” list at the top should be updated to reflect the new baseline.

Would you like me to open a follow-up task to update the top-level list when the rollout completes?