Skip to content

fix: enable delete_branch_on_merge and add settings enforcement script#104

Merged
donpetry-bot merged 32 commits into
mainfrom
claude/issue-90-20260414-1252
May 20, 2026
Merged

fix: enable delete_branch_on_merge and add settings enforcement script#104
donpetry-bot merged 32 commits into
mainfrom
claude/issue-90-20260414-1252

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Summary

  • Applies delete_branch_on_merge: true directly to the repository via GitHub API to resolve the compliance finding
  • Adds .github/scripts/apply-repo-settings.sh — an idempotent script that enforces all required repository settings from the org standard

Settings enforced by the script

Setting Value
delete_branch_on_merge true
allow_auto_merge true
allow_squash_merge true
allow_merge_commit true
allow_rebase_merge true
has_issues true
has_wiki false
squash_merge_commit_title PR_TITLE
squash_merge_commit_message COMMIT_MESSAGES

Test plan

  • delete_branch_on_merge: true confirmed via gh api repos/petry-projects/markets --jq .delete_branch_on_merge
  • Run .github/scripts/apply-repo-settings.sh with an admin token to verify idempotency
  • Confirm next compliance audit closes issue Compliance: delete_branch_on_merge #90

Closes #90

Generated with Claude Code

Closes #90

Adds .github/scripts/apply-repo-settings.sh — an idempotent script that
applies all required repository settings from the org standard:
  https://github.com/petry-projects/.github/blob/main/standards/github-settings.md

Settings enforced:
  - delete_branch_on_merge: true  (compliance fix for #90)
  - allow_auto_merge: true
  - allow_squash_merge / merge_commit / rebase_merge: true
  - has_issues: true, has_wiki: false
  - squash_merge_commit_title: PR_TITLE
  - squash_merge_commit_message: COMMIT_MESSAGES

Also applied delete_branch_on_merge: true directly via GitHub API so the
next compliance audit run will see the correct value without waiting for
the script to be executed manually.

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 14, 2026 12:55
@coderabbitai

coderabbitai Bot commented Apr 14, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 58 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d4ff03fb-6b64-42ea-8e95-f09a9e6d0efd

📥 Commits

Reviewing files that changed from the base of the PR and between 9582a4a and e8cbea2.

📒 Files selected for processing (1)
  • .github/scripts/apply-repo-settings.sh
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-90-20260414-1252

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Contributor Author

Hey @don-petry — this PR is ready for review and merge. It fixes the compliance finding by explicitly enabling delete_branch_on_merge: true (applied directly to the repo via GitHub API) and adds .github/scripts/apply-repo-settings.sh to make the required settings explicit, documented, and re-applicable in the future.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses org compliance for GitHub repository settings by adding a repo-local enforcement script intended to keep the petry-projects/markets repository aligned with the org’s standard defaults (including delete_branch_on_merge: true).

Changes:

  • Added an idempotent .github/scripts/apply-repo-settings.sh script that PATCHes the repository settings via gh api.
  • Script prints a focused subset of resulting repository settings for quick verification after applying changes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/scripts/apply-repo-settings.sh
@don-petry

don-petry commented Apr 16, 2026

Copy link
Copy Markdown
Contributor Author
Superseded by automated re-review at a6a83ffb7b99f604dd608a6bb643f9fa1ac9fe0e — click to expand prior review.

Automated review — APPROVED

Risk: MEDIUM
Reviewed commit: 145ba2806f877055c59ecc1942b5682d56aca9f3
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Note: Approval review was blocked by GitHub (cannot self-approve). This verdict is posted as a comment; a human reviewer can formally approve.

Summary

PR #104 adds a manual idempotent bash script to enforce GitHub repository settings (fixing compliance issue #90). The script requires a human to supply an admin GH_TOKEN at runtime — no secrets are hardcoded, no CI automation is introduced, and all security scanners (CodeQL, SonarCloud, AgentShield) passed clean. Risk is MEDIUM solely because the script exercises GitHub administration scope, but the implementation is sound.

Findings

Info

  • [info] .github/scripts/apply-repo-settings.sh:37 — Using -F (typed field) for string enum values squash_merge_commit_title=PR_TITLE and squash_merge_commit_message=COMMIT_MESSAGES is benign — gh CLI passes non-numeric, non-boolean values as strings — but -f (raw string) would be more explicit and self-documenting.
  • [info] .github/scripts/apply-repo-settings.sh:22export GH_TOKEN after the nil-check is slightly redundant when the caller uses GH_TOKEN=value bash script.sh (already in the child environment), but it is a useful safety net if the script is ever sourced or if a wrapper exports it post-assignment.
  • [info] .github/scripts/apply-repo-settings.sh:15 — REPO is hardcoded to petry-projects/markets. This is intentional and actually desirable for a compliance-enforcement script, but a comment explaining the deliberate choice would reduce future confusion.

CI status

All automated checks passed (ci-green, CodeQL clean, SonarCloud zero issues). Merge is currently BLOCKED — likely pending branch-protection requirements (e.g. required human review). The automated approval is recorded; a human review may still be required by branch policy.


Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@don-petry don-petry enabled auto-merge (squash) April 16, 2026 21:55
don-petry added a commit that referenced this pull request Apr 19, 2026
Adds `.github/scripts/apply-repo-settings.sh` — an idempotent script
that applies all repository settings required by the org standard:
  https://github.com/petry-projects/.github/blob/main/standards/github-settings.md

Settings enforced:
- delete_branch_on_merge: true  (compliance finding #90)
- allow_auto_merge: true
- allow_squash_merge / allow_merge_commit / allow_rebase_merge: true
- has_issues: true, has_wiki: false
- squash_merge_commit_title: PR_TITLE
- squash_merge_commit_message: COMMIT_MESSAGES

The setting has also been applied directly via the GitHub API this run.
Supersedes PRs #104 and #118 (same intent, never merged).

Closes #90

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

@petry-projects-pr-review-agent petry-projects-pr-review-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@petry-projects-pr-review-agent petry-projects-pr-review-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: a6a83ffb7b99f604dd608a6bb643f9fa1ac9fe0e
Review mode: triage-approved (single reviewer)

Summary

PR #104 adds a single idempotent bash script (.github/scripts/apply-repo-settings.sh, 48 lines) that enforces org-standard repository settings via gh api -X PATCH. This directly resolves compliance issue #90 (delete_branch_on_merge must be true). No production code is changed — the script is a manual admin tool requiring an explicit GH_TOKEN with admin scope at runtime. No substantive code changes since the prior cascade review (only merge commits and a CI retrigger).

Linked issue analysis

  • Closes #90 — Compliance audit flagged delete_branch_on_merge as null (expected true). The script sets delete_branch_on_merge=true along with all other org-standard defaults. The setting was also applied directly via the API per the PR description. Issue is substantively addressed.

Findings

No blocking issues. Minor observations (informational only, not blocking):

  • [info] -F (typed field) is used for string enum values like squash_merge_commit_title=PR_TITLE. The gh CLI handles this correctly, though -f (raw string) would be slightly more self-documenting for non-boolean/non-numeric values.
  • [info] REPO is hardcoded to petry-projects/markets. This is intentional and appropriate for a compliance-enforcement script scoped to this repository.

CI status

All checks passed:

  • ✅ CodeQL (actions) — SUCCESS
  • ✅ SonarCloud — SUCCESS (0 new issues, 0 security hotspots)
  • ✅ AgentShield — SUCCESS
  • ✅ CodeRabbit — SUCCESS
  • ✅ Dependency audit — ecosystem detection SUCCESS, language-specific audits SKIPPED (no applicable ecosystems)
  • ✅ CI — ecosystem detection SUCCESS, Backend/Frontend SKIPPED (no changes to those layers)

Reviewed automatically by the don-petry PR-review agent (single-reviewer, triage-approved). Reply with @don-petry if you need a human.

@sonarqubecloud

Copy link
Copy Markdown

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 9dc7ccc17a930df3c94139156b1562b24606dfb4
Review mode: triage-approved (single reviewer)

Summary

PR #104 adds a single idempotent bash script (.github/scripts/apply-repo-settings.sh, +48 lines) that enforces org-standard GitHub repository settings via gh api -X PATCH, directly resolving compliance issue #90 (delete_branch_on_merge: true). The script requires an explicit admin GH_TOKEN at runtime — no automation is introduced, no secrets are hardcoded, and no production code is changed. Confirming the triage tier's low-risk assessment.

Linked issue analysis

  • Closes #90 — The compliance audit flagged delete_branch_on_merge as null (expected true). The script sets delete_branch_on_merge=true plus the rest of the org-standard defaults (allow_auto_merge, allow_squash_merge, allow_merge_commit, allow_rebase_merge, has_issues=true, has_wiki=false, squash_merge_commit_title=PR_TITLE, squash_merge_commit_message=COMMIT_MESSAGES). The PR description also notes the setting was applied directly to the repo via API. Substantively addressed.

Changes since prior review

Since a6a83ffb (prior approval), the only changes are merge commits from main and unrelated PRs (CODEOWNERS updates, dependabot bumps, workflow fixes for the dependabot-rebase reusable). The PR-introduced file (.github/scripts/apply-repo-settings.sh) is byte-identical to the prior reviewed state. No new code to assess.

Findings

No blocking issues. Minor informational notes carried forward from prior review (not blocking):

  • [info] .github/scripts/apply-repo-settings.sh:26-35-F (typed field) is used for string enum values like squash_merge_commit_title=PR_TITLE and squash_merge_commit_message=COMMIT_MESSAGES. gh CLI handles this correctly, though -f (raw string) would be slightly more self-documenting for non-boolean/non-numeric values.
  • [info] .github/scripts/apply-repo-settings.sh:15REPO is hardcoded to petry-projects/markets. Intentional and appropriate for a compliance-enforcement script scoped to this repository.

CI status

All required checks green:

  • ✅ CodeQL (Analyze actions) — SUCCESS
  • ✅ CodeQL — SUCCESS
  • ✅ CodeRabbit — SUCCESS
  • ✅ SonarCloud — Quality Gate passed (0 new issues, 0 security hotspots)

Merge state is BLOCKED, presumably awaiting the formal review from @petry-projects/org-leads per branch-protection policy.


Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

@donpetry-bot donpetry-bot dismissed petry-projects-pr-review-agent[bot]’s stale review May 14, 2026 06:31

Superseded by automated re-review at 9dc7ccc.

@donpetry-bot donpetry-bot enabled auto-merge (squash) May 14, 2026 06:31
@donpetry-bot

Copy link
Copy Markdown
Contributor

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

@donpetry-bot donpetry-bot requested a review from a team May 16, 2026 23:40
@don-petry

Copy link
Copy Markdown
Contributor Author

@dev-lead - please fix this PR

@sonarqubecloud

Copy link
Copy Markdown

@donpetry-bot donpetry-bot merged commit 0e1f369 into main May 20, 2026
12 checks passed
@donpetry-bot donpetry-bot deleted the claude/issue-90-20260414-1252 branch May 20, 2026 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: delete_branch_on_merge

4 participants