fix: add app secrets guard and skip-commit-verification to dependabot workflows

[claude]

Summary

• Add Check app secrets step to standards/workflows/dependabot-automerge.yml and standards/workflows/dependabot-rebase.yml so a missing APP_ID/APP_PRIVATE_KEY secret produces a clear, actionable ::error:: annotation instead of the cryptic [@octokit/auth-app] appId option is required message
• The guard reads APP_ID via environment variable (never logs the value) and exits 1 with a message pointing to the policy doc

Root Cause

secrets.APP_ID resolved to an empty string in the workflow context (secret not configured at org level), causing actions/create-github-app-token to fail with an opaque library error. A second issue is that .github/workflows/dependabot-automerge.yml was missing skip-commit-verification: true, which causes dependabot/fetch-metadata to reject the GitHub-authored merge commits produced by the rebase workflow.

What Was Changed

• standards/workflows/dependabot-automerge.yml — add Check app secrets guard step before Generate app token
• standards/workflows/dependabot-rebase.yml — add Check app secrets guard step before Generate app token

Manual Follow-up Required

The GitHub App does not have workflows permission and cannot modify .github/workflows/ files directly. After merging, a maintainer must manually sync .github/workflows/dependabot-automerge.yml (and the equivalent in ContentTwin) with the updated standards/workflows/dependabot-automerge.yml, specifically:

1. Add skip-commit-verification: true to the dependabot/fetch-metadata step
2. Copy the new Check app secrets step

Also confirm that APP_ID and APP_PRIVATE_KEY secrets are set at the org level (Settings → Secrets and variables → Actions).

Closes #29

Generated with Claude Code

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud