chore: disable CodeRabbit check-suite auto-trigger (closes #258)

[don-petry]

Summary

• Applied the check-suite-auto-trigger compliance fix via GitHub API: set auto_trigger_checks: false for CodeRabbit (app_id 347564) and Claude (app_id 1236702) on this repository
• Added scripts/apply-repo-settings.sh and scripts/lib/push-protection.sh (synced verbatim from petry-projects/.github) so the standard settings can be re-applied or audited directly from this repo

Root Cause

CodeRabbit's GitHub App was configured to auto-trigger check suites on every push. When CodeRabbit has nothing to review (e.g. non-PR pushes), the suite stays permanently in queued state — and GitHub auto-merge waits for all suites to reach a terminal state before merging, so this was permanently blocking auto-merge.

Fix Applied

gh api -X PATCH "repos/petry-projects/google-app-scripts/check-suites/preferences" \
  --input - <<< '{"auto_trigger_checks": [{"app_id": 1236702, "setting": false}, {"app_id": 347564, "setting": false}]}'

Both apps now have auto_trigger_checks: false. GitHub will no longer auto-create check suites for them on every push — they will only create suites explicitly when they have real work to report.

Test Plan

• API call confirmed: both app_ids show "setting": false in the response
• scripts/apply-repo-settings.sh added for future re-application of org-standard settings

Closes #258

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 19 minutes and 56 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ec43c4e2-8bb1-4732-a5d1-8dd1926a6c95

📥 Commits

Reviewing files that changed from the base of the PR and between 8fd81fd and 4f507cd.

📒 Files selected for processing (2)

• scripts/apply-repo-settings.sh
• scripts/lib/push-protection.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-258-20260508-1427

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

Self-review notes:

• Both added files (scripts/apply-repo-settings.sh, scripts/lib/push-protection.sh) are verbatim copies from petry-projects/.github — no logic changes.
• The core compliance fix (API call to set auto_trigger_checks: false for CodeRabbit app_id 347564 and Claude app_id 1236702) was applied directly before this PR was created. The setting is active regardless of when/whether this PR merges.
• apply-repo-settings.sh was committed as mode 100644 rather than 100755 due to sandbox restrictions during authoring. This can be fixed with git update-index --chmod=+x scripts/apply-repo-settings.sh if desired (functionally equivalent since bash scripts can be invoked with bash ./script.sh).

@petry-projects/org-leads — please review and merge when CI is green.

[Copilot]

Pull request overview

This PR addresses compliance issue #258 by disabling GitHub App check-suite auto-trigger behavior that can leave perpetual “queued” check suites (blocking auto-merge), and it adds repo-local scripts to re-apply/audit the org-standard repository settings in the future.

Changes:

• Added a repo settings application script that can disable check-suite auto-trigger preferences for specific GitHub Apps (CodeRabbit/Claude) and apply other org-standard settings.
• Added a shared push-protection Bash library that centralizes required security_and_analysis configuration and related compliance checks.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File	Description
scripts/apply-repo-settings.sh	New script to apply org-standard repo settings (including disabling check-suite auto-trigger for specified app IDs).
scripts/lib/push-protection.sh	New sourceable library implementing push-protection required-state enforcement and audit checks.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 1272435b13fdb4acb2de927d76806ee7e2280ff9
Review mode: triage-approved (single reviewer)

Summary

Prompt-only changes to the org status report template that reduce output size by ~29K bytes. Three changes: (1) Open Issues grouped by repo subsection instead of flat table, dropping the repeated Repo column; (2) duplicate [#N](url) | [title](url) cells merged into single [#N — title](url) cells across Needs Human Review, Open Issues, and Open Discussions tables; (3) MAX_BYTES bumped from 60000 to 64000 (still 1536 bytes below GitHub's 65536 char limit). No data-shape changes.

Linked issue analysis

No closing issue linked, but the PR body clearly describes the problem: daily report #233 exceeded the 60000-byte truncation threshold, causing head -c to drop the start of the report (the @org-leads opener and first three sections). The changes directly address this by shrinking the rendered output.

Findings

No issues found.

• MAX_BYTES 64000: Safe — leaves 1536 bytes of headroom below GitHub's 65536-char issue body limit. Combined with the ~29K reduction in report size, truncation should rarely trigger.
• Prompt template changes: Clean restructuring. The per-repo subsection format for Open Issues and the single-link cell pattern are consistent across all three tables.
• No security concerns: No secrets, auth, eval, injection vectors, or CI security changes.
• Copilot's suppressed comment about UTF-8 truncation in head -c is a pre-existing concern in the truncation step, not introduced by this PR.

CI status

All checks passed:

• Lint: ✓
• ShellCheck: ✓
• Agent Security Scan: ✓
• AgentShield: ✓
• CodeQL (actions): ✓
• SonarCloud: ✓ (0 new issues, 0 security hotspots)
• Dependency audit: ✓

---

Reviewed automatically by the PR-review agent (single-reviewer). Reply if you need a human review.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: da50ea5ec4fb0491b665f65a70d7685e7f32bbc6
Review mode: triage-approved (single reviewer)

Summary

This PR brings .github/workflows/dependabot-rebase.yml into compliance with the org canonical stub from petry-projects/.github/standards/workflows/. The changes are minimal (+6/−3 in a single file): adds a missing schedule trigger (0 */4 * * *) as a safety net when no pushes to main occur, updates the header comment to document all three triggers, and corrects the APP_ID permission description to include contents:write.

Linked issue analysis

Closes #256 — a compliance finding (non-stub-dependabot-rebase.yml) from the weekly compliance audit requesting the workflow be replaced with the canonical stub. This PR directly addresses the finding by adopting the standard stub verbatim, including the previously missing schedule trigger.

Findings

No issues found.

• Schedule trigger 0 */4 * * *: Runs every 4 hours. This is the org-standard safety-net cadence — reasonable and not excessive.
• Comment changes only otherwise: The header guidance and APP_ID description updates are documentation-only with no functional impact.
• No permission or secrets changes: The workflow's permissions: block, concurrency: group, and explicit secrets: pass-through are unchanged.
• No security concerns: No new dependencies, no eval/injection vectors, no credential handling changes.

CI status

All checks passed:

• Build and test: ✓
• CodeQL (actions, JS/TS, Python): ✓
• SonarCloud: ✓ (0 new issues, 0 security hotspots)
• AgentShield: ✓
• Secret scan (gitleaks): ✓
• Dependency audit (npm): ✓
• Node.js tests: ✓
• Playwright UI tests: ✓
• Coverage: ✓

---

Reviewed automatically by the PR-review agent (single-reviewer). Reply if you need a human review.

Superseded by automated re-review at b5cccf8.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: b5cccf865bff7193bfe682e7c0baf2966bbd34ab
Review mode: triage-approved (single reviewer)

Summary

Adds two utility scripts synced verbatim from petry-projects/.github to enable re-applying and auditing org-standard repository settings directly from this repo. The actual compliance fix (setting auto_trigger_checks: false for CodeRabbit app_id 347564 and Claude app_id 1236702) was applied via direct API call before this PR was created. These scripts provide future maintainability.

Linked issue analysis

Closes #258 — compliance finding check-suite-auto-trigger-347564. The PR body documents the root cause (CodeRabbit's auto-triggered check suites staying permanently "queued", blocking GitHub auto-merge) and the fix applied. The scripts added here ensure the setting can be re-applied or audited in the future.

Findings

No issues found.

• Security posture: Scripts enable security features (secret scanning, push protection, dependabot security updates) — no security weakening.
• No injection vectors: All gh api calls use hardcoded paths and structured JSON payloads built from static arrays. No user-controlled input reaches shell expansion.
• Bash best practices: Both scripts use set -euo pipefail, proper quoting, shellcheck directives, and Bash 4+ version guard.
• File permissions: Author noted 100644 mode (not executable) due to sandbox constraints — functionally equivalent since scripts can be invoked with bash ./script.sh. Non-blocking.
• SonarCloud: Quality gate passed, 0 security hotspots, 0 accepted issues.

CI status

All checks passed:

• Build and test: ✓
• CodeQL (actions, JS/TS, Python): ✓
• SonarCloud: ✓ (quality gate passed, 0 security hotspots)
• AgentShield: ✓
• Secret scan (gitleaks): ✓
• Dependency audit (npm): ✓
• Node.js tests: ✓
• Playwright UI tests: ✓
• Coverage: ✓
• CodeRabbit: ✓

---

Reviewed automatically by the PR-review agent (single-reviewer). Reply if you need a human review.

Superseded by automated re-review at b5cccf8.

[sonarqubecloud]

Quality Gate passed

Issues
42 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[donpetry-bot]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

[don-petry]

@dev-lead - please fix this PR

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push