compliance: confirm allow_auto_merge is enabled (closes #89)

[don-petry]

Summary

• Re-applies repository setting allow_auto_merge: true via GitHub API
• Confirms .github/workflows/dependabot-automerge.yml matches org template verbatim

Verification

gh api repos/petry-projects/markets --jq '.allow_auto_merge'
# → true

The dependabot-automerge.yml workflow is present and matches the org template at
petry-projects/.github/standards/workflows/dependabot-automerge.yml verbatim.

Why the audit keeps reporting null

The ORG_SCORECARD_TOKEN used by the compliance script (scripts/compliance-audit.sh)
calls gh api repos/petry-projects/markets and reads .allow_auto_merge. This field is
only returned for tokens with admin-level repository access. If ORG_SCORECARD_TOKEN is
a fine-grained PAT without administration: read permission, GitHub returns null for
this field even though the setting is enabled — a false positive.

To permanently resolve: Grant ORG_SCORECARD_TOKEN admin-level read access to
repositories in petry-projects/.github settings.

Previous PRs

PRs #103 and #122 covered the same finding but were not merged. This PR supersedes them.

Closes #89

Generated with Claude Code

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

@don-petry — CI is green (CodeQL and SonarCloud still running but no failures). This PR supersedes #103 and #122 (both still open).

What this PR does:

• Re-applies allow_auto_merge=true via the GitHub API (confirmed)
• Confirms dependabot-automerge.yml matches org template verbatim (no changes needed)

Why the audit keeps firing:
The ORG_SCORECARD_TOKEN used by the weekly compliance script lacks the administration:read permission for fine-grained PATs (or lacks admin-level access for classic PATs). Without it, the GitHub REST API returns null for allow_auto_merge — a false positive.

Permanent fix: In petry-projects/.github → Settings → Secrets, update ORG_SCORECARD_TOKEN to have admin-level repository access.

Once this PR is merged, issue #89 will close automatically. PRs #103 and #122 can be closed as duplicates.

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: d0ad229122fe78d4f648546030a0e7cc77337fe0
Cascade: triage → audit (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This zero-diff PR is a tracking commit that closes compliance issue #89 by ratifying the org-mandated allow_auto_merge=true setting. The setting was already applied via API and is explicitly required by the org's github-settings.md standard. The Dependabot auto-merge pipeline has proper security controls (actor-gated, no checkout of untrusted code, SHA-pinned actions), and the deep review's concerns are either pre-existing infrastructure decisions or overestimated risks.

Findings

Minor

• [minor] supply-chain — .github/workflows/dependabot-automerge.yml:34 — The reusable workflow reference uses mutable @v1 tag rather than a SHA pin. This is an intentional org-level design decision (the workflow file documents: 'You MAY change: nothing in this file') for maintainability of org-wide templates. The risk is limited to org-level compromise of the petry-projects/.github repo, and the actions within the reusable workflow ARE SHA-pinned.

Info

• [info] governance — The allow_auto_merge=true setting was applied via direct GitHub API call before this PR. However, repository settings inherently cannot be changed via PR diffs — the PR correctly serves as the review and documentation artifact. The setting is explicitly mandated by the org standard (github-settings.md: 'Allow auto-merge: true — Required for Dependabot auto-merge workflow'). No governance violation.
• [info] github-actions-security — .github/workflows/dependabot-automerge.yml — The pull_request_target + secrets: inherit pattern is mitigated by strong controls in the reusable workflow: (1) actor-gated to dependabot[bot] only, (2) no actions/checkout step — untrusted PR code is never checked out, (3) individual actions are SHA-pinned, (4) App token scoped to contents:write + pull-requests:write. This follows GitHub's recommended pattern for Dependabot auto-merge.
• [info] process — PRs compliance: confirm allow_auto_merge is enabled #103 (Apr 14) and compliance: confirm allow_auto_merge is enabled (closes #89) #122 (Apr 18) are still open with no rejection comments or negative reviews — they appear to be unreviewed bot outputs, not deliberately rejected proposals. This PR supersedes them.
• [info] compliance — The root cause of the recurring false positive (ORG_SCORECARD_TOKEN lacking administration:read) is correctly documented. This should be addressed separately in the org-level token configuration.

CI status

mergeStateStatus: BLOCKED (CI checks or branch protections pending)

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.