petry-projects · don-petry · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026
@@ -56,7 +56,7 @@ jobs:
           # so all version bumps (including major) are eligible.
           # App ecosystem PRs can only exist as security updates (limit: 0)
           # and must be patch/minor/indirect — major requires human review.
-          if [[ "$ECOSYSTEM" != "github-actions" && \
+          if [[ "$ECOSYSTEM" != "github_actions" && \
                 "$UPDATE_TYPE" != "version-update:semver-patch" && \
                 "$UPDATE_TYPE" != "version-update:semver-minor" && \
                 "$DEP_TYPE" != "indirect" ]]; then

@@ -51,7 +51,7 @@ jobs:
           # so all version bumps (including major) are eligible.
           # App ecosystem PRs can only exist as security updates (limit: 0)
           # and must be patch/minor/indirect — major requires human review.
-          if [[ "$ECOSYSTEM" != "github-actions" && \
+          if [[ "$ECOSYSTEM" != "github_actions" && \
                 "$UPDATE_TYPE" != "version-update:semver-patch" && \
                 "$UPDATE_TYPE" != "version-update:semver-minor" && \
                 "$DEP_TYPE" != "indirect" ]]; then

@@ -0,0 +1,45 @@
+# ─────────────────────────────────────────────────────────────────────────────
+# SOURCE OF TRUTH: petry-projects/.github/standards/workflows/dependabot-rebase.yml
+# Standard:        petry-projects/.github/standards/dependabot-policy.md
+# Reusable:        petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml
+#
+# AGENTS — READ BEFORE EDITING:
+#   • This file is a THIN CALLER STUB. All rebase/merge serialization logic
+#     lives in the reusable workflow above.
+#   • You MAY change: nothing in this file in normal use. Adopt verbatim.
+#   • You MUST NOT change: trigger event, the concurrency group name,
+#     the `uses:` line, the explicit secrets block, or the job-level
+#     `permissions:` block — reusable workflows can be granted no more
+#     permissions than the calling job has, so removing the stanza breaks
+#     the reusable's gh API calls.
+#   • If you need different behaviour, open a PR against the reusable in the
+#     central repo.
+# ─────────────────────────────────────────────────────────────────────────────
+#
+# Dependabot update-and-merge — thin caller for the org-level reusable.
+# To adopt: copy this file to .github/workflows/dependabot-rebase.yml in your repo.
+# Required org/repo secrets (inherited):
+#   APP_ID         — GitHub App ID with contents:write and pull-requests:write
+#   APP_PRIVATE_KEY — GitHub App private key
+name: Dependabot update and merge
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: dependabot-update-and-merge
+  cancel-in-progress: false
+
+permissions: {}
+
+jobs:
+  dependabot-rebase:
+    permissions:
+      contents: read
+      pull-requests: read
+    uses: petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1
+    secrets:
+      APP_ID: ${{ secrets.APP_ID }}
+      APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
@@ -35,15 +35,20 @@ security posture than chasing every minor/patch release.
 
 ## Configuration Files
 
-Each repository must have:
+Each repository must have the following baseline files:
 
 | File | Purpose |
 |------|---------|
 | `.github/dependabot.yml` | Dependabot config scoped to the repo's ecosystems |
 | `.github/workflows/dependabot-automerge.yml` | Auto-approve + squash-merge security PRs |
-| `.github/workflows/dependabot-rebase.yml` | Rebase behind Dependabot PRs after merges |
 | `.github/workflows/dependency-audit.yml` | CI check — fail on known vulnerabilities |
 
+The following file is conditional:
+
+| File | When required |
+|------|--------------|
+| `.github/workflows/dependabot-rebase.yml` | Required when strict required-status-checks (`strict_required_status_checks_policy: true`) or CODEOWNERS review enforcement (`require_code_owner_review: true`) applies. See [Applying to a Repository](#applying-to-a-repository) for details. |
+
 ## Dependabot Templates
 
 Use the template matching your repository type.
@@ -204,13 +209,17 @@ The workflow fails if any known vulnerability is found, blocking the PR from mer
 1. Copy the appropriate `dependabot.yml` template to `.github/dependabot.yml`,
    adjusting `directory` paths as needed.
 2. Add `workflows/dependabot-automerge.yml` to `.github/workflows/`.
-3. Add `workflows/dependabot-rebase.yml` to `.github/workflows/` **only if the
-   repo enforces strict required-status-checks** (i.e., "branches must be up
-   to date before merging" is on, either via the new ruleset system's
-   `strict_required_status_checks_policy: true` or classic branch protection's
-   `required_status_checks.strict: true`). If strict checks are off, the
-   rebase workflow is unnecessary because Dependabot PRs that fall behind can
-   merge as-is — adding it just creates churn and failure noise.
+3. Add `workflows/dependabot-rebase.yml` to `.github/workflows/` if the repo
+   enforces **either** of the following:
+   - **Strict required-status-checks** (`strict_required_status_checks_policy: true`
+     or classic branch protection `required_status_checks.strict: true`) — without
+     this workflow, Dependabot PRs fall behind after each merge and stall.
+   - **CODEOWNERS review requirement** (`require_code_owner_review: true`) — GitHub's
+     auto-merge mechanism does not apply ruleset bypass actors at merge time, so the
+     App token approval does not satisfy the CODEOWNERS gate. The rebase workflow's
+     direct `gh api .../merge` call does apply the bypass, allowing the App to merge
+     without a human CODEOWNERS review.
+   If neither condition applies, the rebase workflow is unnecessary.
 4. Add `workflows/dependency-audit.yml` to `.github/workflows/`.
 5. **GitHub App secrets** — `APP_ID` and `APP_PRIVATE_KEY` are managed at the
    **organization level** (`gh secret set <name> --org petry-projects --visibility all`),

@@ -8,10 +8,10 @@
 #     lives in the reusable workflow above.
 #   • You MAY change: nothing in this file in normal use. Adopt verbatim.
 #   • You MUST NOT change: trigger event, the concurrency group name,
-#     the `uses:` line, `secrets: inherit`, or the job-level `permissions:`
-#     block — reusable workflows can be granted no more permissions than the
-#     calling job has, so removing the stanza breaks the reusable's gh API
-#     calls.
+#     the `uses:` line, the explicit secrets block, or the job-level
+#     `permissions:` block — reusable workflows can be granted no more
+#     permissions than the calling job has, so removing the stanza breaks
+#     the reusable's gh API calls.
 #   • If you need different behaviour, open a PR against the reusable in the
 #     central repo.
 # ─────────────────────────────────────────────────────────────────────────────
@@ -39,5 +39,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: read
-    uses: petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@v1
-    secrets: inherit
+    uses: petry-projects/.github/.github/workflows/dependabot-rebase-reusable.yml@ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1
+    secrets:
+      APP_ID: ${{ secrets.APP_ID }}
+      APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}