`updateAutomatedSecurityFixes` never called when no other repo settings changed

[jimisola]

Describe the bug

updateAutomatedSecurityFixes is only called inside the if (changes.hasChanges) branch in lib/plugins/repository.js. When all other repository settings already match the desired state (i.e. changes.hasChanges === false), the else branch is taken — but that branch only calls updateSecurity (vulnerability alerts). updateAutomatedSecurityFixes is never invoked, so enableAutomatedSecurityFixes: false in settings.yml has no effect.

Relevant code (lib/plugins/repository.js ~line 96, version 2.1.18):

if (changes.hasChanges) {
  // ...
  promises.push(updateRepoPromise.then(() => {
    return this.updateSecurity(resp.data, resArray)
  }))
  promises.push(updateRepoPromise.then(() => {
    return this.updateAutomatedSecurityFixes(resp.data, resArray)  // ✓ called
  }))
} else {
  promises.push(this.updateSecurity(resp.data, resArray))
  // ← updateAutomatedSecurityFixes is missing here
}

To reproduce

settings.yml:

repository:
  # ... other settings that already match repo state ...
  security:
    enableAutomatedSecurityFixes: false  # desired: disabled

1. Ensure all other repository: settings already match the current repo state so changes.hasChanges is false
2. Run npm run full-sync
3. Observe: disableAutomatedSecurityFixes is never called; repos retain their current value

Expected behaviour

updateAutomatedSecurityFixes should be called regardless of whether other repo settings changed — the same way updateSecurity is called in both branches.

Suggested fix

} else {
  promises.push(this.updateSecurity(resp.data, resArray))
  promises.push(this.updateAutomatedSecurityFixes(resp.data, resArray))  // add this
}

Environment

• safe-settings version: 2.1.18
• Running via npm run full-sync in GitHub Actions