compliance: confirm allow_auto_merge is enabled (closes #89)#122
Conversation
Repository setting allow_auto_merge has been verified and re-applied via GitHub API (gh api -X PATCH repos/petry-projects/markets -F allow_auto_merge=true). The dependabot-automerge.yml workflow already matches the org template verbatim. Recurring null findings in the compliance audit are due to ORG_SCORECARD_TOKEN lacking admin scope to read this field from the GitHub REST API — a false positive at the audit level. Co-authored-by: don-petry <don-petry@users.noreply.github.com>
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@don-petry — PR ready for review. This confirms |
|
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 8796096eaf8cb5cfa3649b4c030f71b8b0788458
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)
Summary
PR #122 contains zero file changes — the actual remediation (re-applying allow_auto_merge=true via GitHub API PATCH) was executed out-of-band by an AI agent with an admin-scoped token. The root cause of recurring false positives is that ORG_SCORECARD_TOKEN lacks administration read scope, causing the compliance audit to read null for a setting that is actually enabled. Issue #89 is now closed and the compliance check is passing as of 2026-05-13; all CI checks are green. Three duplicate PRs (#103, #122, #130) were created by automated agents for the same finding, indicating an uncontrolled retry loop in the compliance automation.
Findings
- MINOR [governance]: ORG_SCORECARD_TOKEN in petry-projects/.github lacks the 'administration' read permission required to read allow_auto_merge from the GitHub REST API. Without admin scope the field returns null — a false positive that drove repeated weekly compliance audit fires and automated PR creation. The token should be audited and updated with admin-level repository access to permanently resolve recurring findings.
- MINOR [process]: Three separate PRs (#103, #122, #130) were created by automated AI agents for the same compliance finding (issue #89) across multiple audit cycles. This indicates the automation loop lacks deduplication: it retried the same action each weekly cycle without detecting existing open PRs. PRs #103 and #130 remain open as duplicates and should be closed.
- MINOR [traceability]: The actual remediation — 'gh api -X PATCH repos/petry-projects/markets -F allow_auto_merge=true' — was executed out-of-band by an AI agent using an admin-scoped token and is not tracked in any code or configuration change. The PR is a documentation-only tracking artifact with zero diffs, making the merge purely symbolic. The action itself is benign but the pattern of untracked admin API mutations applied by automated agents is worth governance awareness.
- INFO [resolution]: Issue #89 (Compliance: allow_auto_merge) was closed on 2026-05-13 with the comment 'Resolved! This check is now passing.' CI checks (CodeQL, SonarQube Quality Gate, CodeRabbit) all passed on the latest head SHA. The branch is stale (29 days, 17 automated merge-from-main commits) but contains no substantive divergence from main.
Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.
|
* compliance: confirm and re-apply allow_auto_merge=true (closes #89) Repository setting allow_auto_merge has been verified and re-applied via GitHub API (gh api -X PATCH repos/petry-projects/markets -F allow_auto_merge=true). The dependabot-automerge.yml workflow already matches the org template verbatim. Recurring null findings in the compliance audit are due to ORG_SCORECARD_TOKEN lacking admin scope to read this field from the GitHub REST API — a false positive at the audit level. Co-authored-by: don-petry <don-petry@users.noreply.github.com> * retrigger: bump workflows to run checks --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude <claude@anthropic.com>
* compliance: confirm and re-apply allow_auto_merge=true (closes #89) Repository setting allow_auto_merge has been verified and re-applied via GitHub API (gh api -X PATCH repos/petry-projects/markets -F allow_auto_merge=true). The dependabot-automerge.yml workflow already matches the org template verbatim. Recurring null findings in the compliance audit are due to ORG_SCORECARD_TOKEN lacking admin scope to read this field from the GitHub REST API — a false positive at the audit level. Co-authored-by: don-petry <don-petry@users.noreply.github.com> * retrigger: bump workflows to run checks --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude <claude@anthropic.com>



Summary
Verifies and re-applies repository setting
allow_auto_merge: truefor Dependabot workflow compliance.What was done
allow_auto_merge: truevia GitHub API (admin-scoped token)gh api -X PATCH repos/petry-projects/markets -F allow_auto_merge=truedependabot-automerge.ymlmatches org template verbatimWhy the audit keeps firing
The
ORG_SCORECARD_TOKENused by the compliance script likely lacks theadministrationread permission needed to readallow_auto_mergefrom the GitHub REST API. Without admin scope, the field returnsnulleven though the setting is enabled. To resolve permanently: audit theORG_SCORECARD_TOKENsecret inpetry-projects/.githubto ensure it has admin-level access.Closes #89
Generated with Claude Code