compliance: confirm allow_auto_merge is enabled (closes #89)#130
Conversation
Repository setting allow_auto_merge has been verified and re-applied via GitHub API: gh api -X PATCH repos/petry-projects/markets -F allow_auto_merge=true The dependabot-automerge.yml workflow is already present and matches the org template verbatim. Root cause of recurring audit findings: ORG_SCORECARD_TOKEN lacks the administration:read permission needed to read allow_auto_merge from the GitHub REST API. Without admin scope, the field returns null even though the setting is enabled — a false positive. To permanently resolve, grant ORG_SCORECARD_TOKEN admin-level access to the repository in petry-projects/.github settings. Co-authored-by: don-petry <don-petry@users.noreply.github.com>
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@don-petry — CI is green (CodeQL and SonarCloud still running but no failures). This PR supersedes #103 and #122 (both still open). What this PR does:
Why the audit keeps firing: Permanent fix: In Once this PR is merged, issue #89 will close automatically. PRs #103 and #122 can be closed as duplicates. |
Superseded by automated re-review at
|
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: a6a83ffb7b99f604dd608a6bb643f9fa1ac9fe0e
Review mode: triage-approved (single reviewer)
Summary
PR #104 adds a single idempotent bash script (.github/scripts/apply-repo-settings.sh, 48 lines) that enforces org-standard repository settings via gh api -X PATCH. This directly resolves compliance issue #90 (delete_branch_on_merge must be true). No production code is changed — the script is a manual admin tool requiring an explicit GH_TOKEN with admin scope at runtime. No substantive code changes since the prior cascade review (only merge commits and a CI retrigger).
Linked issue analysis
- Closes #90 — Compliance audit flagged
delete_branch_on_mergeasnull(expectedtrue). The script setsdelete_branch_on_merge=truealong with all other org-standard defaults. The setting was also applied directly via the API per the PR description. Issue is substantively addressed.
Findings
No blocking issues. Minor observations (informational only, not blocking):
- [info]
-F(typed field) is used for string enum values likesquash_merge_commit_title=PR_TITLE. TheghCLI handles this correctly, though-f(raw string) would be slightly more self-documenting for non-boolean/non-numeric values. - [info]
REPOis hardcoded topetry-projects/markets. This is intentional and appropriate for a compliance-enforcement script scoped to this repository.
CI status
All checks passed:
- ✅ CodeQL (actions) — SUCCESS
- ✅ SonarCloud — SUCCESS (0 new issues, 0 security hotspots)
- ✅ AgentShield — SUCCESS
- ✅ CodeRabbit — SUCCESS
- ✅ Dependency audit — ecosystem detection SUCCESS, language-specific audits SKIPPED (no applicable ecosystems)
- ✅ CI — ecosystem detection SUCCESS, Backend/Frontend SKIPPED (no changes to those layers)
Reviewed automatically by the don-petry PR-review agent (single-reviewer, triage-approved). Reply with @don-petry if you need a human.
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: e0886512c9fdfd51836fcf070403a0d6b1fbc7bd
Review mode: triage-approved (single reviewer)
Summary
Single-file GitHub Actions workflow change adopting the org-standard dependabot-rebase caller stub. Pins the reusable workflow to SHA 3c6335c0 (replacing mutable @v1 tag), replaces blanket secrets: inherit with explicit APP_ID/APP_PRIVATE_KEY, adds workflow_dispatch trigger, and escalates job permissions from read to write (justified by rebase and re-approve operations). Net security posture is improved.
Linked issue analysis
No linked issues. PR description states it supersedes prior SHA-pinning and dispatch PRs — this is a standards-adoption change with self-contained motivation.
Findings
No blocking issues.
Positive changes:
- Reusable workflow ref changed from mutable tag
@v1to SHA-pinned@3c6335c0a214bba940bbcbc4346e9d4ab0cb63e1— prevents tag-hijack supply-chain risk. secrets: inherit(passes all repo secrets) replaced with explicitAPP_ID/APP_PRIVATE_KEY— reduces secret surface area.
Informational:
- Permission escalation from
contents: read/pull-requests: readtocontents: write/pull-requests: write— necessary for the reusable workflow to update branches and re-approve PRs post-rebase. Inline comments document the rationale. Blast radius is limited by the SHA-pinned reusable ref. workflow_dispatchtrigger added — allows manual flush of the Dependabot PR queue. Low risk.
CI status
All checks passed:
- ✅ CodeQL (actions) — SUCCESS
- ✅ SonarCloud — SUCCESS (0 new issues, 0 security hotspots)
- ✅ AgentShield — SUCCESS
- ✅ CodeRabbit — SUCCESS
- ✅ Dependency audit — ecosystem detection SUCCESS
- ✅ CI — ecosystem detection SUCCESS
Reviewed automatically by the don-petry PR-review agent (single-reviewer mode: opus 4.6). Reply with @don-petry if you need a human.
Superseded by automated re-review at c6ec11a.
Automated review — human attention neededThis PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops. Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the Posted by the don-petry PR-review cascade. |
|
* compliance: re-apply and confirm allow_auto_merge=true (closes #89) Repository setting allow_auto_merge has been verified and re-applied via GitHub API: gh api -X PATCH repos/petry-projects/markets -F allow_auto_merge=true The dependabot-automerge.yml workflow is already present and matches the org template verbatim. Root cause of recurring audit findings: ORG_SCORECARD_TOKEN lacks the administration:read permission needed to read allow_auto_merge from the GitHub REST API. Without admin scope, the field returns null even though the setting is enabled — a false positive. To permanently resolve, grant ORG_SCORECARD_TOKEN admin-level access to the repository in petry-projects/.github settings. Co-authored-by: don-petry <don-petry@users.noreply.github.com> * retrigger: bump workflows to run checks --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude <claude@anthropic.com>
* compliance: re-apply and confirm allow_auto_merge=true (closes #89) Repository setting allow_auto_merge has been verified and re-applied via GitHub API: gh api -X PATCH repos/petry-projects/markets -F allow_auto_merge=true The dependabot-automerge.yml workflow is already present and matches the org template verbatim. Root cause of recurring audit findings: ORG_SCORECARD_TOKEN lacks the administration:read permission needed to read allow_auto_merge from the GitHub REST API. Without admin scope, the field returns null even though the setting is enabled — a false positive. To permanently resolve, grant ORG_SCORECARD_TOKEN admin-level access to the repository in petry-projects/.github settings. Co-authored-by: don-petry <don-petry@users.noreply.github.com> * retrigger: bump workflows to run checks --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude <claude@anthropic.com>



Summary
allow_auto_merge: truevia GitHub API.github/workflows/dependabot-automerge.ymlmatches org template verbatimVerification
The
dependabot-automerge.ymlworkflow is present and matches the org template atpetry-projects/.github/standards/workflows/dependabot-automerge.ymlverbatim.Why the audit keeps reporting
nullThe
ORG_SCORECARD_TOKENused by the compliance script (scripts/compliance-audit.sh)calls
gh api repos/petry-projects/marketsand reads.allow_auto_merge. This field isonly returned for tokens with admin-level repository access. If
ORG_SCORECARD_TOKENisa fine-grained PAT without
administration: readpermission, GitHub returnsnullforthis field even though the setting is enabled — a false positive.
To permanently resolve: Grant
ORG_SCORECARD_TOKENadmin-level read access torepositories in
petry-projects/.githubsettings.Previous PRs
PRs #103 and #122 covered the same finding but were not merged. This PR supersedes them.
Closes #89
Generated with Claude Code