Skip to content

compliance: confirm allow_auto_merge is enabled (closes #89)#122

Open
don-petry wants to merge 2 commits intomainfrom
claude/issue-89-20260418-1841
Open

compliance: confirm allow_auto_merge is enabled (closes #89)#122
don-petry wants to merge 2 commits intomainfrom
claude/issue-89-20260418-1841

Conversation

@don-petry
Copy link
Copy Markdown
Contributor

@don-petry don-petry commented Apr 18, 2026

Summary

Verifies and re-applies repository setting allow_auto_merge: true for Dependabot workflow compliance.

What was done

  • Confirmed allow_auto_merge: true via GitHub API (admin-scoped token)
  • Re-applied the setting: gh api -X PATCH repos/petry-projects/markets -F allow_auto_merge=true
  • Confirmed dependabot-automerge.yml matches org template verbatim

Why the audit keeps firing

The ORG_SCORECARD_TOKEN used by the compliance script likely lacks the administration read permission needed to read allow_auto_merge from the GitHub REST API. Without admin scope, the field returns null even though the setting is enabled. To resolve permanently: audit the ORG_SCORECARD_TOKEN secret in petry-projects/.github to ensure it has admin-level access.

Closes #89

Generated with Claude Code

@github-actions @don-petry
compliance: confirm and re-apply allow_auto_merge=true (closes #89)
d72d7c0 
Repository setting allow_auto_merge has been verified and re-applied
via GitHub API (gh api -X PATCH repos/petry-projects/markets
-F allow_auto_merge=true). The dependabot-automerge.yml workflow
already matches the org template verbatim.

Recurring null findings in the compliance audit are due to
ORG_SCORECARD_TOKEN lacking admin scope to read this field from
the GitHub REST API — a false positive at the audit level.

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 18, 2026 18:48
Copilot AI reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@don-petry
Copy link
Copy Markdown
Contributor Author

don-petry commented Apr 18, 2026

@don-petry — PR ready for review. This confirms allow_auto_merge: true is set and re-applies it via the GitHub API. Note: if the compliance audit continues to report null, the ORG_SCORECARD_TOKEN in petry-projects/.github needs admin-level scope to read this field from the REST API. See PR description for details.

@don-petry don-petry mentioned this pull request Apr 18, 2026
Open
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 18, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@don-petry don-petry mentioned this pull request Apr 19, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Compliance: allow_auto_merge

2 participants

@don-petry