GitHub Community
[Dependabot] Sudden change in access required for dependabot commands. Is this documented? #48010
Replies: 9 comments 1 reply
-
|
We have a similar setup to reduce the number of CI runs and stumbled upon this same problem. We've also accomplished this by disabling Dependabot's auto-rebase and by using a GitHub workflow to rebase the open Dependabot PRs one at a time by commenting This was still working on Thursday, 16 February 2023. However, on Friday, 17 February 2023, this suddenly stopped working and fails with Dependabot replying I also tried to find documentation about the required permissions for the different Dependabot comment commands but couldn't find anything. I'd also be interested to know whether this is documented somewhere? One way to solve this would probably be to use a personal access token instead of the |
Beta Was this translation helpful? Give feedback.
-
|
Also experienced this the past few days. Noticed than when I ran "@dependabot recreate" then waited for our automerge GHA to run (before any other PRs got merged), it was able to merge. And then future PRs were able to "@dependabot rebase" without any issue. |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
|
This is still a problem and there's been no input from github or dependentbot devs to date. It'd be great to hear an answer as to whether this is intended or a bug and perhaps get a workaround for these user journies. |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
|
This is still a problem and there's been no input from github or dependentbot devs to date. It'd be great to hear an answer as to whether this is intended or a bug and perhaps get a workaround for these user journies. |
Beta Was this translation helpful? Give feedback.
-
|
Adjust your setup or give Dependabot the right permissions. |
Beta Was this translation helpful? Give feedback.
-
|
Hmm, can you give more details. In this case, dependabot works fine as long as a human user runs the Do you have a setup where an app or robot account is able to get Dependabot to rebase or recreate PRs? |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
|
This still happens quite often that an app with full read/write repo permissions is not allowed to ask dependabot to rebase a pull request. Not sure what more information is needed. |
Beta Was this translation helpful? Give feedback.
-
My dependency management setup uses dependebot to open PRs and a third party tool (Mergify) to manage those PRs such that merging many dependency updates doesn't require any more CI runs then necessary.
This is accomplished by configuring Dependabot to not auto-rebase and instead to just allow Mergify update non conflicting PRs when it's their turn to be merged.
When there is a conflict, I've configured Mergify to add a comment "@dependabot rebase" in order to have Dependabot figure out what the new state of the PR should be.
This was working as early as a couple weeks ago but today that comment failed with the reply:
"Sorry, only users with push access can use that command."
This was already the case for commands like "@dependabot recreate" but it's unclear when and how these requirements are enforced.
The mergify bot I use has permisssions to add commits, merge, comment in my repo so it's pretty surprising that dependabot thinks it shouldn't have permission to run a command that has no risk of improper use.
Is this working as intended? Is this access control documented anywhere? I couldn't find it when searching though maybe it used to exist based on some tangential references I saw.
Thanks!
rebase successful PR: melink14/rikaikun#1393
rebase failed PR: melink14/rikaikun#1419
Beta Was this translation helpful? Give feedback.
All reactions