fix: enable allow_auto_merge in settings.yml for Dependabot workflow

[don-petry]

Summary

• Adds allow_auto_merge: true to .github/settings.yml so the repository setting is declaratively managed via probot/settings
• Also adds delete_branch_on_merge: true and has_wiki: false to match the full standard defaults
• The live GitHub API setting was already true; this PR makes it authoritative and prevents future drift

Root cause

The compliance audit found allow_auto_merge: null because the setting had not been explicitly enabled. The dependabot-automerge.yml workflow was already in place but requires allow_auto_merge to be enabled at the repo level to function.

Changes

• .github/settings.yml: Added repository block with allow_auto_merge: true, delete_branch_on_merge: true, and has_wiki: false

Closes #163

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 45 minutes and 38 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 45 minutes and 38 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e95f6cfd-0c7d-48d5-a929-c4fb46319763

📥 Commits

Reviewing files that changed from the base of the PR and between 32e618b and ec2afd1.

📒 Files selected for processing (1)

• .github/settings.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-163-20260414-1127

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

@don-petry This PR is ready for review. The change declaratively manages the allow_auto_merge setting (and two companion settings) via probot/settings to resolve the compliance finding and prevent future drift.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR brings the repository’s GitHub settings into compliance by declaring allow_auto_merge: true (required for the existing Dependabot auto-merge workflow) in the probot/settings-managed .github/settings.yml, preventing future drift from live settings.

Changes:

• Added a repository: settings block to explicitly set allow_auto_merge: true.
• Added delete_branch_on_merge: true and has_wiki: false to align with the referenced standard defaults.

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: a6f1043be45030acbe18c716bbab19f6cdbafeef
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Single YAML config change adds three standard repository settings (allow_auto_merge, delete_branch_on_merge, has_wiki) via probot/settings to resolve a compliance audit finding. All CI checks pass (CodeQL, SonarCloud, dependency-audit, tests). No code, secrets, or logic changes; risk is LOW.

Findings

Info — configuration (.github/settings.yml line 6)
allow_auto_merge: true enables the auto-merge feature on the repo. This does not bypass required reviews or status checks — it only allows PRs to be queued for merge once all required gates pass. The existing Dependabot workflow already depends on this setting.

Info — ci
All status checks passed: CodeQL (actions, JS/TS, Python), SonarCloud (0 issues, 0 hotspots), CI Pipeline, Node.js Tests, Playwright UI Tests, dependency audit (npm), AgentShield. Dependabot workflow check was SKIPPED (expected — only runs on Dependabot PRs).

CI status

All required status checks passed. mergeStateStatus is BLOCKED (pending required review — resolved by this approval).

Note: GitHub does not allow approving your own PR. This approval verdict is recorded here as a comment. A human reviewer must click "Approve" to satisfy the required-review gate.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.