Create Renovate Repair PR Workflow

[tqer39]

📒 変更の概要

• ✨ create-renovate-repair-pr.yml ワークフローを追加しました。このワークフローは、Renovate PR の CI が失敗した場合に修正 PR を自動生成するためのものです。

⚒ 技術的詳細

• 🛠️ ワークフローは workflow_dispatch と workflow_run のイベントに基づいてトリガーされます。
• 🔑 GitHub App トークンを生成し、対象の Renovate PR を特定します。
• 📄 修正 PR の作成時には、元の PR の情報を含むテンプレートが生成されます。
• 🚀 修正 PR は、元の PR のベースブランチに対して作成され、CI を再実行するための空のコミットが含まれます。

⚠ 注意点

• ⚠️ このワークフローは、元の Renovate PR がオープンであり、Renovate によって作成されたものであることを確認します。
• ⚠️ 修正 PR は、元の PR に直接変更を加えず、レビュー用の PR として作成されます。

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow automates creation of "repair" draft PRs when Renovate PRs fail CI. The workflow discovers eligible Renovate PRs, validates branch patterns, computes deterministic repair branch names, checks for existing repairs, and creates draft PRs with empty retrigger commits or logs existing repairs to prevent duplicates.

Changes

Renovate Repair PR Workflow

Layer / File(s)	Summary
Workflow triggers and job configuration .github/workflows/create-renovate-repair-pr.yml	Workflow accepts manual dispatch with optional pr_number and dry_run inputs, also triggers on completion of Labeler, lint, and Test Install Scripts workflows. Job runs on Ubuntu with 10-minute timeout and read-only repository/actions permissions.
Discover and validate target Renovate PR .github/workflows/create-renovate-repair-pr.yml	Authenticates via GitHub App token, determines target PR from input or workflow run metadata, fetches PR data filtered to open Renovate PRs only, validates renovate/* branch pattern, rejects existing repair branches, computes sanitized repair branch name, checks for existing open repair PR, and exports values for downstream use.
Create repair PR or log existing .github/workflows/create-renovate-repair-pr.yml	When no existing repair PR is found, generates Japanese markdown body, skips git operations if dry-run is enabled, initializes temporary repo, creates repair branch with empty commit to retrigger CI, pushes branch using GitHub App token, and opens draft PR. Logs URL of existing repair PR to prevent duplicates.

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 A rabbit hops through CI winds,
When Renovate stumbles and fails,
A repair branch now springs to life,
With empty commits and Japanese tales—
Auto-healing PRs, without a mail! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a new GitHub Actions workflow for creating Renovate repair PRs. It accurately summarizes the primary purpose of the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/renovate-repair-pr-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/create-renovate-repair-pr.yml:
- Around line 31-44: The workflow currently creates the GitHub App token
unconditionally in the step with id "app-token" (uses:
actions/create-github-app-token) even for workflow_run events that aren’t PRs;
update the job condition to gate workflow_run paths by adding
github.event.workflow_run.event == 'pull_request' to the existing if check,
perform the read-only PR existence/eligibility lookup using the default
GITHUB_TOKEN before any app token creation, and move the "app-token" step so it
only runs on the branch-push / PR-create path (i.e., when the PR lookup shows an
eligible Renovate PR) to avoid minting the app token for non-PR workflow_run
failures.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9337d101-6ff6-431c-b1f6-eaa79e60730f

📥 Commits

Reviewing files that changed from the base of the PR and between 745380c and 4b1ff37.

📒 Files selected for processing (1)

• .github/workflows/create-renovate-repair-pr.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Delay GitHub App token creation until after the PR is proven eligible.

lint and Test Install Scripts also run on push to main, so failed non-PR runs still reach this job and mint the app token before the workflow discovers there is no target Renovate PR. Please gate workflow_run paths on github.event.workflow_run.event == 'pull_request' and do the read-only PR lookup with the default GITHUB_TOKEN; only create the app token on the branch-push / PR-create path.

🧰 Tools

🪛 zizmor (1.25.2)

[error] 41-41: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions

(github-app)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/create-renovate-repair-pr.yml around lines 31 - 44, The
workflow currently creates the GitHub App token unconditionally in the step with
id "app-token" (uses: actions/create-github-app-token) even for workflow_run
events that aren’t PRs; update the job condition to gate workflow_run paths by
adding github.event.workflow_run.event == 'pull_request' to the existing if
check, perform the read-only PR existence/eligibility lookup using the default
GITHUB_TOKEN before any app token creation, and move the "app-token" step so it
only runs on the branch-push / PR-create path (i.e., when the PR lookup shows an
eligible Renovate PR) to avoid minting the app token for non-PR workflow_run
failures.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Stale repair branches will block later retries.

REPAIR_BRANCH is deterministic, but duplicate detection only looks for an open PR. If a previous repair PR was closed or merged and its branch still exists, the later git push origin "${REPAIR_BRANCH}" on Line 193 becomes a non-fast-forward update because this job recreates the branch from HEAD_BRANCH. Please also handle an existing remote branch here, or generate a new branch name when the ref is already present.