docs: clarify Dependabot workflow permissions

[oneslash]

This pull request updates the documentation to clarify the required GitHub Actions permissions and workflow setup for using Limier with Dependabot, especially when integrating the dependabot/fetch-metadata action. The changes emphasize the need to explicitly grant pull-requests: read permission and provide more detailed, accurate sample configurations and guidance.

Documentation improvements for Dependabot and GitHub Actions:

• Added guidance to explicitly grant pull-requests: read permission when using dependabot/fetch-metadata, and clarified that once a permissions block is present in a workflow, omitted scopes default to none (README.md, docs/guide/ci-and-deploy.md, examples/ci/README.md). [1] [2] [3] [4] [5]
• Updated sample workflow descriptions and examples to clarify that they are not drop-in Dependabot integrations and require additional triggers, metadata wiring, and permissions (README.md, examples/ci/README.md). [1] [2]
• Improved the explanation of the minimal gate and permissions required for Dependabot workflows, including the use of dependabot/fetch-metadata and the need for a read-only review job (docs/guide/ci-and-deploy.md, examples/ci/README.md). [1] [2] [3]
• Clarified that sample runner scripts and workflows are for demonstration and are intentionally hardcoded, not meant as production-ready Dependabot glue layers (README.md).
• Added warnings and best practices about separating privileged actions (like commenting or merging) into follow-up workflows, and avoiding pull_request_target for review runs (docs/guide/ci-and-deploy.md, examples/ci/README.md). [1] [2]

Summary by CodeRabbit

• Documentation
  • Enhanced GitHub Actions configuration guidance for Dependabot integration with detailed permission requirements
  • Clarified that pull-requests: read permission must be explicitly declared when using Dependabot metadata operations
  • Updated CI examples and deployment guide to include proper permissions block configuration for Dependabot workflows
  • Noted that unspecified permission scopes default to none when a permissions block is present

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b7e85315-a85b-4333-9d73-46cdbf93b28f

📥 Commits

Reviewing files that changed from the base of the PR and between 520652b and 0b95361.

📒 Files selected for processing (3)

• README.md
• docs/guide/ci-and-deploy.md
• examples/ci/README.md

---

📝 Walkthrough

Walkthrough

Documentation clarification added across three files explaining GitHub Actions permissions configuration requirements when using Dependabot's fetch-metadata action, emphasizing explicit pull-requests: read declaration and default scope behavior.

Changes

Cohort / File(s)	Summary
Dependabot GitHub Actions Permissions Documentation README.md, docs/guide/ci-and-deploy.md, examples/ci/README.md	Added guidance requiring explicit pull-requests: read permission in GitHub Actions workflows when using dependabot/fetch-metadata. Clarified that once a permissions block is present, unspecified scopes default to none. Noted that Dependabot integration is not drop-in and requires additional repository-specific configuration.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A tale of permissions, clear and bright,
Where GitHub Actions shine their light,
pull-requests: read now takes the stage,
Documentation guides each page—
No secrets hidden, scopes defined with care! ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/update-gh-integration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}