compliance: confirm allow_auto_merge is enabled

[don-petry]

Summary

• Confirms repository setting allow_auto_merge: true is active (verified via GitHub API)
• Confirms .github/workflows/dependabot-automerge.yml exists verbatim from the org standard template

Background

The compliance audit (issue #89) flagged allow_auto_merge as null. The setting was subsequently enabled, and the Dependabot auto-merge workflow was already present from a prior commit. This PR formally closes the compliance finding.

Verification

gh api repos/petry-projects/markets --jq '.allow_auto_merge'
# → true

Closes #89

Generated with Claude Code

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

@don-petry — this PR formally closes the compliance finding #89. Everything is already in compliance (no code changes needed), so feel free to merge when ready.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: b3378d1e98ef0e067a67836a2fb3db2cfd8281c2
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This PR contains zero file changes — it is a compliance-acknowledgment PR formally closing issue #89 by documenting that allow_auto_merge is already enabled and the dependabot-automerge workflow already exists. All CI checks pass (CodeQL, SonarCloud, AgentShield, dependency-audit) with no new issues. The triage escalation was due to a triage-output-invalid signal, not a substantive concern.

Findings

Info

• [info] — PR has 0 additions, 0 deletions, 0 changed files. The compliance fix (allow_auto_merge=true) was applied outside this PR via GitHub API/settings, not tracked as a code change. This is acceptable for a repository-settings compliance closure but means the fix cannot be verified through the diff alone.
• [info] — Author don-petry left a self-addressed comment (@don-petry) approving their own PR. This is an automated Claude Code comment pattern — harmless but slightly unusual.
• [info] — dependabot-automerge workflow check was SKIPPED, which is expected — the workflow only triggers on Dependabot PRs, not compliance PRs.
• [info] — Issue #89 is still in OPEN state; it will auto-close on merge via the 'Closes #89' reference in the PR body.

CI status

All CI checks pass: CodeQL ✓, SonarCloud ✓, AgentShield ✓, dependency-audit ✓. dependabot-automerge was skipped (expected for non-Dependabot PRs).

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.