feat: add dependabot-rebase workflow standard

[don-petry]

Summary

• Adds standards/workflows/dependabot-rebase.yml — a new workflow that triggers on push to main and comments @dependabot rebase on any open Dependabot PRs that have fallen behind
• Updates standards/dependabot-policy.md to document the new workflow, explain why API rebases must not be used on Dependabot PRs, and adds the workflow to the required configuration table

Problem

When branch protection requires branches to be up-to-date (strict: true), merging one Dependabot PR makes the others fall behind main. Dependabot only auto-rebases on its weekly schedule or when there are merge conflicts — not when a PR merely falls behind. This leaves auto-merge stalled indefinitely.

Using the GitHub API update-branch endpoint to rebase Dependabot PRs is worse: it replaces Dependabot's commit signature, causing dependabot/fetch-metadata to reject the PR and Dependabot to refuse future rebases ("edited by someone other than Dependabot").

Solution

The new workflow uses @dependabot rebase so Dependabot performs the rebase itself, preserving its commit signature and keeping the automerge flow intact.

Test plan

• Deploy to google-app-scripts first and validate with open Dependabot PRs
• Confirm: rebase triggers, CI passes, auto-merge completes, review threads resolved
• Roll out to remaining org repos after validation

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Added automated workflow to keep Dependabot pull requests up to date with the main branch.

• Documentation

  • Updated standards documentation to reflect new rebase automation process and configuration requirements for repositories.

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 39 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 1 minutes and 39 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0612f65e-2531-4c1e-be27-cf6353fea39a

📥 Commits

Reviewing files that changed from the base of the PR and between 2df2f71 and 88c1777.

📒 Files selected for processing (3)

• standards/dependabot-policy.md
• standards/workflows/dependabot-automerge.yml
• standards/workflows/dependabot-rebase.yml

📝 Walkthrough

Walkthrough

This PR introduces a new GitHub Actions workflow (dependabot-rebase.yml) that automatically rebases Dependabot pull requests that fall behind the main branch on each push to main. Documentation updates specify this workflow as a required repository configuration and detail its integration with Dependabot's rebase mechanism.

Changes

Cohort / File(s)	Summary
Documentation Updates standards/dependabot-policy.md	Added "Rebase Behind PRs Workflow" section specifying the new workflow as a required entry. Documented that rebasing occurs via @dependabot rebase comments posted by the workflow on subsequent main pushes. Added prohibition against using GitHub API update-branch endpoint for Dependabot PR rebasing due to commit-signature verification concerns. Updated "Applying to a Repository" steps to reference the new workflow and GitHub App secret requirements for both auto-merge and rebase functionality.
New Workflow standards/workflows/dependabot-rebase.yml	New GitHub Actions workflow triggered on every main push. Uses actions/create-github-app-token to generate a token from secrets, then queries open Dependabot PRs via gh CLI. For each PR, calculates commits behind main using GitHub compare API and posts @dependabot rebase comment if behind-count exceeds zero. Implements restricted permissions (contents: read, pull-requests: read).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• docs: Dependabot security-only update standards #9: Introduces Dependabot auto-merge workflow using GitHub App token authentication; this PR's new rebase workflow complements that auto-merge mechanism.
• feat: add full CI pipeline for .github repo #15: Adds GitHub Actions workflows to manage Dependabot PR lifecycle; this PR's rebase workflow integrates as an additional lifecycle management step alongside existing Dependabot automation.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feat: add dependabot-rebase workflow standard' accurately and concisely describes the main change: adding a new workflow standard for rebasing Dependabot PRs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/dependabot-rebase-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds an org standard workflow template to keep Dependabot PRs rebased when branch protection requires “up-to-date” branches, and documents its required adoption across repos.

Changes:

• Add standards/workflows/dependabot-rebase.yml to comment @dependabot rebase on open behind Dependabot PRs after pushes to main.
• Update standards/dependabot-policy.md to require the new workflow and explain why GitHub’s update-branch API must not be used for Dependabot PR rebases.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
standards/workflows/dependabot-rebase.yml	New workflow template to detect behind Dependabot PRs and request Dependabot-managed rebases.
standards/dependabot-policy.md	Policy/doc updates adding the workflow to required config and documenting rationale/usage.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

standards/dependabot-policy.md (1)

35-42: ⚠️ Potential issue | 🟠 Major

Required-workflow policy is now out of sync with org enforcement.

This document now says every repository must include .github/workflows/dependabot-rebase.yml, but org enforcement still uses the existing required-workflow set. Please update the org-level required-workflows standard and compliance audit list in the same rollout, otherwise this requirement is not enforceable.

Based on learnings: standards/ci-standards.md currently defines exactly six universally required workflows, and scripts/compliance-audit.sh enforces that same six-workflow list.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@standards/dependabot-policy.md` around lines 35 - 42, The dependabot policy
was changed to require `.github/workflows/dependabot-rebase.yml` but org
enforcement still enforces the previous six-workflow set; update the org-level
standards and enforcement in the same rollout by adding
`.github/workflows/dependabot-rebase.yml` to the universal workflow list in
standards/ci-standards.md and to the hard-coded required list in
scripts/compliance-audit.sh (ensure the workflow name string matches exactly and
update any commentary/tests that enumerate the six workflows).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@standards/workflows/dependabot-rebase.yml`:
- Around line 26-31: The workflow can run overlapping rebase jobs on rapid
pushes; add a top-level concurrency stanza to the YAML (near the existing
on/permissions keys) to serialize runs and cancel in-progress duplicates—e.g.,
add a concurrency block with a stable group name like "dependabot-rebase-${{
github.ref }}" and set cancel-in-progress: true so only one rebase job per
branch/reference runs at a time.

---

Outside diff comments:
In `@standards/dependabot-policy.md`:
- Around line 35-42: The dependabot policy was changed to require
`.github/workflows/dependabot-rebase.yml` but org enforcement still enforces the
previous six-workflow set; update the org-level standards and enforcement in the
same rollout by adding `.github/workflows/dependabot-rebase.yml` to the
universal workflow list in standards/ci-standards.md and to the hard-coded
required list in scripts/compliance-audit.sh (ensure the workflow name string
matches exactly and update any commentary/tests that enumerate the six
workflows).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 060ca54c-8cef-4069-b0b6-02711786f591

📥 Commits

Reviewing files that changed from the base of the PR and between 7057378 and 2df2f71.

📒 Files selected for processing (2)

• standards/dependabot-policy.md
• standards/workflows/dependabot-rebase.yml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud