fix: match dependabot author login format in automerge

[jbdevprimary]

Summary

• gh pr list --json author returns app/dependabot, not dependabot[bot]
• Switch from exact string match to regex test("dependabot") to catch both formats
• Same fix for release-please

Root cause

The automerge workflow found 0 eligible PRs despite 8 open dependabot PRs because the jq filter was checking for dependabot[bot] but the API returns app/dependabot.

🤖 Generated with Claude Code

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Rate limit exceeded

@jbdevprimary has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 31 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 017c9522-21f9-47e4-ab77-d57c411cfd3a

📥 Commits

Reviewing files that changed from the base of the PR and between 9534bdc and bd37886.

📒 Files selected for processing (1)

• .github/workflows/automerge.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/automerge-author-login

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amazon-q-developer]

Security Issue Found

The fix correctly addresses the root cause (API returning app/dependabot instead of dependabot[bot]), but the regex pattern is overly permissive and creates a security vulnerability. The unanchored regex test("dependabot") will match any username containing "dependabot" anywhere in it, potentially allowing unauthorized PRs to auto-merge.

Critical change required: Anchor the regex patterns to match only the legitimate bot formats to prevent unauthorized auto-merging.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.