fix: Dependabot auto-merge broken — missing appId in GitHub App token

[don-petry]

Summary

The Dependabot auto-merge workflow fails with:

Error: [@octokit/auth-app] appId option is required

Affected Repos

• ContentTwin — run 24011026577
• .github — PR chore(deps): bump anthropics/claude-code-action from 1.0.83 to 1.0.89 #22 (anthropics/claude-code-action bump)

Root Cause

The GitHub App token creation step references an appId secret that is either missing or not accessible to these repos.

Recommended Actions

1. Verify the APP_ID secret is set at the org level and accessible to these repos
2. Check the dependabot-automerge.yml shared workflow in standards/workflows/ for correct secret references
3. Ensure the dependabot-automerge-petry GitHub App has correct permissions
4. Test with a manual Dependabot PR after fix

Context

Identified during weekly org CI/Security survey on 2026-04-05.

[claude]

Claude finished @don-petry's task in 4m 41s —— View job • claude/issue-29-20260406-0321 • Create PR ➔

---

Analysis and Fix for Issue #29

Root cause: secrets.APP_ID resolves to an empty string in the workflow context, causing the opaque [@octokit/auth-app] appId option is required error. Two contributing issues found:

1. No secret-presence guard — workflows hit the @octokit/auth-app library before any actionable diagnostic is emitted
2. .github/workflows/dependabot-automerge.yml was missing skip-commit-verification: true (the dependabot-rebase workflow uses the merge method, producing GitHub-authored merge commits that fetch-metadata rejects without this flag)

---

Changes pushed to branch claude/issue-29-20260406-0321

• standards/workflows/dependabot-automerge.yml — add Check app secrets step before token generation
• standards/workflows/dependabot-rebase.yml — add Check app secrets step before token generation

The guard reads APP_ID via env (safe, never logs the value), emits a clear ::error:: annotation pointing to the policy doc, and exits 1 so the job fails with a meaningful message rather than a library stack trace.

Manual follow-up required

The GitHub App running this automation does not have workflows permission and cannot modify .github/workflows/ files directly.

After merging, a maintainer must manually apply these two changes to .github/workflows/dependabot-automerge.yml (and to the equivalent file in affected repos like ContentTwin):

1. Add skip-commit-verification: true to the dependabot/fetch-metadata step
2. Copy the new Check app secrets step from standards/workflows/dependabot-automerge.yml

Root secret configuration

The workflow fix makes the error message actionable, but the underlying secret must also be configured:

• Verify APP_ID and APP_PRIVATE_KEY secrets are set at the org level (Settings → Secrets and variables → Actions) and that the dependabot-automerge-petry GitHub App has contents:write and pull-requests:write permissions

---

[claude]

Claude finished @don-petry's task in 18m 52s —— View job • claude/issue-29-20260406-0341 • [Create PR ➔](https://github.com/petry-projects/.github/compare/main...claude/issue-29-20260406-0341?quick_pull=1&title=Issue%20%2329%3A%20Changes%20from%20Claude&body=This%20PR%20addresses%20issue%20%2329%0A%0AGenerated%20with%20%5BClaude%20Code%5D(https%3A%2F%2Fclaude.ai%2Fcode)

---

Fixing Dependabot Auto-merge (Issue #29)

• Gather context (reading CLAUDE.md and workflow files)
• Understand root cause and required changes
• Add Check app secrets guard to standards/workflows/dependabot-automerge.yml
• Add Check app secrets guard to standards/workflows/dependabot-rebase.yml
• Note: .github/workflows/dependabot-automerge.yml cannot be modified — manual follow-up required (see below)
• Commit and push changes
• Create PR (#69)
• Self-review — no bugs found
• CI green (mergeStateStatus: CLEAN) — fixed yamllint line-length violation in second commit
• Tag CODEOWNERS for review

---

Changes in #69

Root cause confirmed: secrets.APP_ID resolves to an empty string when the org secret is not configured, causing actions/create-github-app-token to fail with the cryptic [@octokit/auth-app] appId option is required error.

File	Change
standards/workflows/dependabot-automerge.yml	Add Check app secrets guard step (already has skip-commit-verification: true)
standards/workflows/dependabot-rebase.yml	Add Check app secrets guard step

The guard reads APP_ID via env: (never logs the value), emits ::error:: with an actionable message, and exits 1.

Manual follow-up required after merge

The GitHub App does not have workflows permission — .github/workflows/ files must be updated manually:

1. Add skip-commit-verification: true to the dependabot/fetch-metadata step in .github/workflows/dependabot-automerge.yml
2. Add the Check app secrets guard step (copy from updated standards template)
3. Apply the same changes to ContentTwin and any other affected repos
4. Verify APP_ID and APP_PRIVATE_KEY are set at org level (Settings → Secrets and variables → Actions)

@don-petry — please review PR #69 and merge when ready.
• Branch • PR #69