feat(cooldown): add cooldown-rescan scheduled rescan workflow#43
Merged
Conversation
Adds .github/workflows/cooldown-rescan.yml — a workflow_call-only reusable that consumers can invoke on a schedule to rescan Dependabot PRs whose dependency-cooldown / gate is pending. Uses gh run rerun on the most recent dependency-cooldown.yml run for each stuck PR; replays the original pull_request payload with current runtime clock so age-based gates re-evaluate freshly. Single optional input dry_run (default false) for safe rollout and incident diagnostics. Per-PR error isolation via set +e; outer gh pr list failure is loud (exit 1). Refs #42.
Replaces the broken "Recommended: scheduled re-scan for long-pending PRs" section, which advised adding schedule: to a pull_request: caller workflow — that approach silently fails because schedule events have no PR context, so the existing dependency-cooldown.yml scan loop has nothing to iterate over. New section documents the cooldown-rescan.yml caller pattern, the four required permissions, the dry_run rollout flow, cadence guidance, and a dedicated inputs table. Refs #42.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/cooldown-rescan.yml— aworkflow_call-only reusable workflow that sweeps open Dependabot PRs and reruns the most recentdependency-cooldown.ymlrun for any PR whose gate is stillpending.README.mdto replace the broken "Recommended: scheduled re-scan" section (which advisedschedule:on apull_request:workflow — silently broken because schedule events have no PR context) with a generic caller pattern.dry_run: boolean = falsefor safe rollout and incident diagnostics. Per-PR isolation viaset +e; outergh pr listfailure is loud.Why
The existing
dependency-cooldown.ymlonly fires onpull_request: [opened, synchronize, reopened]. A Dependabot PR that opens during its dependency's cooldown window scans once, posts apendinggate, and then never re-evaluates without manual@dependabot recreateor rebase. Real incident:j7an/nexus-mcp#163— scan ran on 2026-04-14 withEarliest unblock: 2026-04-14; on 2026-04-17 the gate was still pending despite cooldown having expired the day of scan.gh run rerunis the only mechanism that re-evaluates cooldown without duplicating scan logic: it replays the originalpull_requestpayload (head SHA stable) with current runtime clock (age-gates re-evaluate).Release shape
Both commits use
feat(cooldown):sotag-release.ymlminor-bumps tov2.4.0.Reviewer notes (from local two-stage review)
Both spec and code-quality reviews passed locally. Two
APPROVED WITH NITSitems worth weighing here, neither blocking:actions: writepermission scope (flagged by both reviewers): the README example doesn't acknowledge thatactions: writegrants caller-repo-wide rerun capability — broader thangh run rerunstrictly needs, but no narrower GitHub permission exists. Consider a 1-2 line note.set -einside the per-PR loop (workflow reviewer): the script opens withset -uo pipefail(no-e); the innerset -e/set +epairs technically activate strict mode for ~5 lines of jq extraction at the top of the next iteration. Practical risk near zero (jq input is already validated), but the comment "Per-PR work usesset +e" doesn't fully match the actual semantics. Easy follow-up: replace innerset -ewith no-ops.Test plan
yq '.' .github/workflows/cooldown-rescan.ymlparses successfully (verified locally)./scripts/lint-workflow-call.shexits 0 (verified locally; CI re-runs)zizmor --min-severity medium --min-confidence mediumproduces no findings (verified locally; CI re-runs)tag-release.ymlcutsv2.4.0;release.ymlpublishes the GitHub release; floating@v2updatesnexus-mcpships its caller (separate PR, separate repo), runs once withdry_run: true, then enables for real and confirms PR #163 unblocksFixes #42.