Skip to content

compliance: confirm allow_auto_merge is enabled (closes #89)#122

Merged
don-petry merged 27 commits into
mainfrom
claude/issue-89-20260418-1841
May 19, 2026
Merged

compliance: confirm allow_auto_merge is enabled (closes #89)#122
don-petry merged 27 commits into
mainfrom
claude/issue-89-20260418-1841

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Summary

Verifies and re-applies repository setting allow_auto_merge: true for Dependabot workflow compliance.

What was done

  • Confirmed allow_auto_merge: true via GitHub API (admin-scoped token)
  • Re-applied the setting: gh api -X PATCH repos/petry-projects/markets -F allow_auto_merge=true
  • Confirmed dependabot-automerge.yml matches org template verbatim

Why the audit keeps firing

The ORG_SCORECARD_TOKEN used by the compliance script likely lacks the administration read permission needed to read allow_auto_merge from the GitHub REST API. Without admin scope, the field returns null even though the setting is enabled. To resolve permanently: audit the ORG_SCORECARD_TOKEN secret in petry-projects/.github to ensure it has admin-level access.

Closes #89

Generated with Claude Code

Repository setting allow_auto_merge has been verified and re-applied
via GitHub API (gh api -X PATCH repos/petry-projects/markets
-F allow_auto_merge=true). The dependabot-automerge.yml workflow
already matches the org template verbatim.

Recurring null findings in the compliance audit are due to
ORG_SCORECARD_TOKEN lacking admin scope to read this field from
the GitHub REST API — a false positive at the audit level.

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 18, 2026 18:48

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@don-petry

Copy link
Copy Markdown
Contributor Author

@don-petry — PR ready for review. This confirms allow_auto_merge: true is set and re-applies it via the GitHub API. Note: if the compliance audit continues to report null, the ORG_SCORECARD_TOKEN in petry-projects/.github needs admin-level scope to read this field from the REST API. See PR description for details.

@don-petry don-petry closed this May 11, 2026
@don-petry don-petry reopened this May 11, 2026
@don-petry don-petry closed this May 12, 2026
@don-petry don-petry reopened this May 12, 2026
@sonarqubecloud

Copy link
Copy Markdown

@don-petry don-petry enabled auto-merge (squash) May 12, 2026 01:40

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: 8796096eaf8cb5cfa3649b4c030f71b8b0788458
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)

Summary

PR #122 contains zero file changes — the actual remediation (re-applying allow_auto_merge=true via GitHub API PATCH) was executed out-of-band by an AI agent with an admin-scoped token. The root cause of recurring false positives is that ORG_SCORECARD_TOKEN lacks administration read scope, causing the compliance audit to read null for a setting that is actually enabled. Issue #89 is now closed and the compliance check is passing as of 2026-05-13; all CI checks are green. Three duplicate PRs (#103, #122, #130) were created by automated agents for the same finding, indicating an uncontrolled retry loop in the compliance automation.

Findings

  • MINOR [governance]: ORG_SCORECARD_TOKEN in petry-projects/.github lacks the 'administration' read permission required to read allow_auto_merge from the GitHub REST API. Without admin scope the field returns null — a false positive that drove repeated weekly compliance audit fires and automated PR creation. The token should be audited and updated with admin-level repository access to permanently resolve recurring findings.
  • MINOR [process]: Three separate PRs (#103, #122, #130) were created by automated AI agents for the same compliance finding (issue #89) across multiple audit cycles. This indicates the automation loop lacks deduplication: it retried the same action each weekly cycle without detecting existing open PRs. PRs #103 and #130 remain open as duplicates and should be closed.
  • MINOR [traceability]: The actual remediation — 'gh api -X PATCH repos/petry-projects/markets -F allow_auto_merge=true' — was executed out-of-band by an AI agent using an admin-scoped token and is not tracked in any code or configuration change. The PR is a documentation-only tracking artifact with zero diffs, making the merge purely symbolic. The action itself is benign but the pattern of untracked admin API mutations applied by automated agents is worth governance awareness.
  • INFO [resolution]: Issue #89 (Compliance: allow_auto_merge) was closed on 2026-05-13 with the comment 'Resolved! This check is now passing.' CI checks (CodeQL, SonarQube Quality Gate, CodeRabbit) all passed on the latest head SHA. The branch is stale (29 days, 17 automated merge-from-main commits) but contains no substantive divergence from main.

Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.

@sonarqubecloud

Copy link
Copy Markdown

@don-petry don-petry merged commit 8136d1b into main May 19, 2026
17 checks passed
@don-petry don-petry deleted the claude/issue-89-20260418-1841 branch May 19, 2026 05:10
don-petry added a commit that referenced this pull request Jun 1, 2026
* compliance: confirm and re-apply allow_auto_merge=true (closes #89)

Repository setting allow_auto_merge has been verified and re-applied
via GitHub API (gh api -X PATCH repos/petry-projects/markets
-F allow_auto_merge=true). The dependabot-automerge.yml workflow
already matches the org template verbatim.

Recurring null findings in the compliance audit are due to
ORG_SCORECARD_TOKEN lacking admin scope to read this field from
the GitHub REST API — a false positive at the audit level.

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* retrigger: bump workflows to run checks

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Claude <claude@anthropic.com>
don-petry added a commit that referenced this pull request Jun 19, 2026
* compliance: confirm and re-apply allow_auto_merge=true (closes #89)

Repository setting allow_auto_merge has been verified and re-applied
via GitHub API (gh api -X PATCH repos/petry-projects/markets
-F allow_auto_merge=true). The dependabot-automerge.yml workflow
already matches the org template verbatim.

Recurring null findings in the compliance audit are due to
ORG_SCORECARD_TOKEN lacking admin scope to read this field from
the GitHub REST API — a false positive at the audit level.

Co-authored-by: don-petry <don-petry@users.noreply.github.com>

* retrigger: bump workflows to run checks

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Claude <claude@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: allow_auto_merge

4 participants