fix: disable Claude + CodeRabbit auto-trigger check suites to unblock auto-merge

[don-petry]

Summary

• GitHub auto-creates "queued" check suites for Claude (app_id 1236702) and CodeRabbit (app_id 347564) on every push to any branch with an open PR. When those apps have nothing to do, the suites stay in queued state forever.
• GitHub auto-merge waits for all check suites — not just required ones — to reach a terminal state before merging. This is why PRs show mergeStateStatus: BLOCKED even with reviewDecision: APPROVED and all required checks green.
• Fix: PATCH /repos/{owner}/{repo}/check-suites/preferences with auto_trigger_checks: [{app_id: N, setting: false}] stops GitHub from auto-creating these suites. The apps still create them explicitly when they have real work to report.

Changes

• scripts/apply-repo-settings.sh — apply_check_suite_prefs() applies the preference to a repo
• scripts/compliance-audit.sh — check_check_suite_prefs() detects drift and creates error-severity findings

Test plan

• CI passes on this PR
• Apply to this repo manually: bash scripts/apply-repo-settings.sh .github
• Verify preferences: gh api repos/petry-projects/.github/check-suites/preferences --jq '.preferences.auto_trigger_checks' → should show setting: false for both app IDs
• Push a test commit to an open PR branch → Checks tab should show no new queued suites from Claude or CodeRabbit
• After merge: run bash scripts/apply-repo-settings.sh --all to apply across all org repos

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Repository settings now enforce GitHub Check Suite auto-trigger preferences for specified GitHub Apps (e.g., Claude, CodeRabbit).
  • Added organization-wide compliance audit to verify Check Suite auto-trigger settings across all repositories.

• Documentation

  • Added "Check-Suite Auto-Trigger Preferences" guidance with steps to review and disable auto-triggering and notes on orphaned suites.

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 44 minutes and 52 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 81a8ad27-61cc-4ba5-b5a1-60fa3ba926cb

📥 Commits

Reviewing files that changed from the base of the PR and between f9ca86a and 705abb2.

📒 Files selected for processing (3)

• scripts/apply-repo-settings.sh
• scripts/compliance-audit.sh
• standards/github-settings.md

📝 Walkthrough

Walkthrough

Adds org- and repo-level check-suite auto-trigger handling: an enforcement step in scripts/apply-repo-settings.sh to disable auto-trigger for specific GitHub App IDs, a complementary audit check in scripts/compliance-audit.sh to flag repos with auto-trigger enabled, and docs in standards/github-settings.md.

Changes

Check-Suite Preference Management

Layer / File(s)	Summary
Configuration scripts/apply-repo-settings.sh, scripts/compliance-audit.sh	Adds CHECK_SUITE_APP_IDS=(1236702 347564) to both scripts to enumerate target GitHub App IDs.
Logging primitive scripts/apply-repo-settings.sh	Adds warn() logging and adjusts err() / skip() definitions used by new flow.
Enforcement Implementation scripts/apply-repo-settings.sh	Adds apply_check_suite_prefs() to fetch check-suites/preferences, build a PATCH payload to set auto_trigger_checks: false for listed app IDs, and call gh api to apply changes (no-op under DRY_RUN).
Wiring: apply script scripts/apply-repo-settings.sh	Invokes apply_check_suite_prefs "$repo" in --all loop and apply_check_suite_prefs "$1" in single-repo mode, after other per-repo settings.
Audit Implementation scripts/compliance-audit.sh	Adds check_check_suite_prefs() which reads check-suites/preferences, records an error finding when a target app ID has auto_trigger_checks enabled, and is parameterized by CHECK_SUITE_APP_IDS.
Wiring: audit flow scripts/compliance-audit.sh	Calls check_check_suite_prefs "$repo" from main() before existing checks (pp_run_all_checks).
Documentation standards/github-settings.md	Adds "Check-Suite Auto-Trigger Preferences" section describing the behavior, target apps table, manual remediation steps, and notes on orphaned suites.

Sequence Diagram(s)

sequenceDiagram
  participant ApplyScript as Apply Script
  participant AuditScript as Audit Script
  participant GitHubAPI as GitHub API
  participant Operator as Operator

  Operator->>ApplyScript: run script (--all or single-repo)
  ApplyScript->>GitHubAPI: GET repos/:org/:repo/check-suites/preferences
  GitHubAPI-->>ApplyScript: preferences (list of apps + auto_trigger_checks)
  ApplyScript->>GitHubAPI: PATCH repos/:org/:repo/check-suites/preferences (set auto_trigger_checks:false for targeted apps)
  GitHubAPI-->>ApplyScript: 200/response
  Operator->>AuditScript: run compliance audit
  AuditScript->>GitHubAPI: GET repos/:org/:repo/check-suites/preferences
  GitHubAPI-->>AuditScript: preferences
  AuditScript-->>Operator: emit finding if any target app has auto_trigger_checks:true

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• petry-projects/.github#12: Modifies scripts/compliance-audit.sh; this PR extends that script with CHECK_SUITE_APP_IDS and check_check_suite_prefs().

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely identifies the main fix: disabling auto-trigger check suites for Claude and CodeRabbit apps to resolve the auto-merge blocking issue.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/check-suite-auto-trigger

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/apply-repo-settings.sh`:
- Around line 248-249: The script calls warn() on failure paths but never
defines it, causing "command not found" errors; add a warn() function near the
top (alongside any existing log/info/error helpers) that accepts a message,
writes it to stderr (e.g., printf "%s\n" "$*" >&2) and returns a non-zero status
or otherwise matches the behavior of other logger helpers so calls like warn
"Could not read check-suite preferences for $repo — skipping" and the other
usage at the similar branch work correctly; update or reuse existing logger
helpers if present (e.g., info, error) so warn() is consistent with them.
- Around line 247-250: The branch that checks if "$prefs" is empty currently
calls warn "Could not read check-suite preferences..." and then uses return 0
which incorrectly signals success; update the control flow in the function that
contains the prefs check so that when prefs is empty it returns a non-zero
status (e.g., return 1) or otherwise exits with a failure code instead of return
0, ensuring callers detect the error; keep the warn call and only change the
return value from 0 to a failure code to surface enforcement failures.

In `@scripts/compliance-audit.sh`:
- Around line 868-870: The script currently silences failures when querying
check-suite preferences (prefs=$(gh_api ...); [ -z "$prefs" ] && return), which
hides coverage gaps; replace the silent return with logic that emits a finding
for the repo indicating the control was not evaluated (use your existing
findings mechanism — e.g., call record_finding or append a message to the
findings array — with repo name $repo, control "check-suite-preferences", and a
reason like "API unavailable/empty response"), then continue or skip further
checks for that repo; keep the gh_api call and prefs variable but ensure the
error/finding includes the repo and reason so the audit records the missing
evaluation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b87eec94-c6a1-4a36-b562-3418d5c56082

📥 Commits

Reviewing files that changed from the base of the PR and between 12858a4 and d25240a.

📒 Files selected for processing (2)

• scripts/apply-repo-settings.sh
• scripts/compliance-audit.sh

[Copilot]

Pull request overview

This PR aims to unblock GitHub auto-merge by disabling GitHub’s automatic creation of check suites for the Claude and CodeRabbit GitHub Apps, which can otherwise remain permanently in a queued state and block merging.

Changes:

• Add a compliance-audit check to detect repos where Claude/CodeRabbit check-suite auto-triggering is still enabled.
• Add an apply-repo-settings step that PATCHes check-suites/preferences to disable auto-triggered check suites for those app IDs.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
scripts/compliance-audit.sh	Adds check_check_suite_prefs() to report an error finding when Claude/CodeRabbit auto-trigger checks are enabled.
scripts/apply-repo-settings.sh	Adds apply_check_suite_prefs() to PATCH repo check-suite preferences and disable auto-trigger for the two app IDs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Test results — behavior confirmed on this PR

Tested by monitoring check suites on both this PR (#195) and PR #193 (which was rebased on main by the auto-rebase workflow during this session).

Findings

Bug confirmed on every push: On every commit to a PR branch, GitHub auto-creates check suites for the Claude (app_id 1236702) and CodeRabbit (app_id 347564) apps. These suites are never updated — they stay queued forever.

Key observation from this PR's own head commit (d25240a):

• claude-code / claude GitHub Actions job: ran ✅ 03:42:58 – 03:44:57Z
• CodeRabbit review posted: ✅ 03:46:18Z (CHANGES_REQUESTED)
• Claude App check suite: queued — updated_at: 03:42:42Z (never touched after creation)
• CodeRabbit check suite: queued — updated_at: 03:42:42Z (never touched after creation)

The action and the app suite are completely independent. The claude-code-action runs inside a GitHub Actions check suite and has no mechanism to update the Claude App's separate suite. Same for CodeRabbit — posting a review does not close the suite.

The fix

PATCH /repos/{owner}/{repo}/check-suites/preferences with auto_trigger_checks: false for both app IDs stops GitHub from auto-creating these suites. The apps can still create suites explicitly when they have real work to report.

PAT requirement discovered

The check-suites/preferences PATCH endpoint rejects OAuth app tokens (gho_*) with HTTP 403:

"You must authenticate with a personal access token, or basic auth, or via a GitHub App"

Classic PAT (ghp_*) with repo scope is required. apply-repo-settings.sh already requires a PAT via GH_TOKEN — the standards doc now documents this explicitly. The CI workflow's GH_PAT_WORKFLOWS secret satisfies this requirement.

After merge

Run with a classic PAT to apply across all org repos:

GH_TOKEN=<classic-pat> bash scripts/apply-repo-settings.sh --all

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/apply-repo-settings.sh`:
- Around line 246-250: The gh API calls that read and PATCH check-suite
preferences currently discard stderr (the prefs=$(gh api
"repos/$ORG/$repo/check-suites/preferences" 2>/dev/null || true) and the
subsequent PATCH call), which hides useful GitHub error messages; change these
to capture the command output and stderr into variables (e.g., prefs and
prefs_err or a combined var), check command exit status, and call warn with a
descriptive message including the captured error details and the repo name when
the read or PATCH fails so token/permission errors are preserved for debugging;
update the code around prefs and the PATCH invocation accordingly.

In `@standards/github-settings.md`:
- Around line 258-265: Update the paragraph under "Required configuration" to
explicitly state that a missing `auto_trigger_checks` entry for the listed app
IDs is treated as compliant (until that app has ever created a check run), and
clarify that both `scripts/apply-repo-settings.sh` and
`scripts/compliance-audit.sh` treat a missing entry as acceptable; mention the
specific keys `auto_trigger_checks` and the app IDs `1236702` and `347564` so
readers can find the table rows for Claude (`anthropics/claude-code-action`) and
CodeRabbit and avoid chasing non-issues.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6097d04c-1a39-4c28-80b7-72a093efa4fd

📥 Commits

Reviewing files that changed from the base of the PR and between d25240a and f9ca86a.

📒 Files selected for processing (2)

• scripts/apply-repo-settings.sh
• standards/github-settings.md

[don-petry]

All review comments have been addressed:

Thread	Status
CR: warn() not defined in apply script	✅ Fixed in aefaba3 — added warn() helper
CR: return 0 masking enforcement failures	✅ Fixed in aefaba3 — changed to return 1
CR/Copilot: missing semantic mismatch (apply vs audit)	✅ Fixed in aefaba3 — both now skip missing state
CR: emit finding when prefs unreadable (audit)	✅ Fixed in b131b12 — now emits check-suite-prefs-unreadable warning
Copilot: standards doc missing check-suite section	✅ Fixed in aefaba3 — new section added
Copilot: standards doc missing section anchor	✅ Fixed in aefaba3
CR nitpick: preserve API error details on failure	✅ Fixed in ad005d7 — stderr captured and logged
CR minor: document missing-entry compliance	✅ Fixed in ad005d7 — paragraph added to standards doc

@petry-projects/org-leads — all CI checks passing and review items resolved. Ready for a final look and merge.

[don-petry]

All review comments addressed:

• warn() missing → fixed in aefaba3
• return 0 masking failures → fixed in aefaba3 (now return 1)
• missing semantic mismatch → fixed in aefaba3 (both scripts skip missing)
• audit: emit finding when prefs unreadable → fixed in b131b12
• standards doc → updated in aefaba3 + ad005d7
• API error details lost → fixed in ad005d7 (stderr now captured and logged)
• document missing-entry compliance → fixed in ad005d7

@petry-projects/org-leads — ready for review and merge.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

@coderabbitai review

All prior review comments have been addressed and all threads resolved. Summary of fixes since the last approval:

• fix(lint) (705abb2): wrapped two long paragraphs in standards/github-settings.md to satisfy MD013 (200-char limit) — this is the only change since your last approval.

[don-petry]

@coderabbitai review

All prior review comments are addressed and all 8 threads are resolved. The only change since your last approval (00:40 UTC) is commit 705abb2 — a line-wrap fix in standards/github-settings.md to satisfy MD013. No logic changes.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@don-petry: Understood! The lint fix wrapping long lines in standards/github-settings.md to satisfy MD013 looks like a purely cosmetic/formatting change. I'll kick off a fresh review now.

[review]

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@don-petry, I'll kick off a fresh review now. Given that commit 705abb2 is purely a line-wrap formatting fix in standards/github-settings.md for MD013 compliance with no logic changes, this should be straightforward to clear.

[review]

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 705abb2e5660d5c8a69fcb1f3a50b16e5bf463c2
Review mode: triage-approved (single reviewer)

Summary

Adds check-suite auto-trigger preference management to the existing apply-repo-settings.sh and compliance-audit.sh scripts. Disables auto-trigger for Claude (app_id 1236702) and CodeRabbit (app_id 347564) GitHub Apps to prevent orphaned queued check suites from permanently blocking GitHub auto-merge. All changes are additive (+130, -0) across 3 files with corresponding documentation in standards/github-settings.md.

Linked issue analysis

No linked issues. The PR body provides thorough context explaining the root cause (GitHub auto-creates check suites that stay queued forever, blocking auto-merge) and the fix mechanism (PATCH /repos/{owner}/{repo}/check-suites/preferences).

Findings

No blocking issues found.

• Security: No credentials, secrets, auth changes, or injection vectors. The gh api calls use hardcoded app IDs processed through jq — no user-controlled input flows into shell commands or API payloads.
• Correctness: Both scripts consistently handle the missing state (app never seen in repo) by skipping it. Error paths properly return non-zero and emit diagnostic messages with captured API errors. DRY_RUN mode is respected.
• Consistency: The new functions follow existing patterns in both scripts (logging helpers, error handling, add_finding usage in audit). The CHECK_SUITE_APP_IDS constant is duplicated across both scripts, which mirrors how other constants (e.g., REQUIRED_LABEL_SPECS) are already handled.
• Prior review feedback: All 8 review threads from CodeRabbit and Copilot were addressed across commits aefaba3, b131b12, ad005d7, and 705abb2. CodeRabbit confirmed each fix and gave final approval.
• Documentation: Standards doc updated with clear explanation, required configuration table, manual remediation steps, and PAT requirement note.

CI status

Check	Status
ShellCheck	✅ SUCCESS
Lint	✅ SUCCESS
CodeQL	✅ SUCCESS
SonarCloud	✅ SUCCESS (0 issues, 0 hotspots)
Agent Security Scan	✅ SUCCESS
AgentShield	✅ SUCCESS
claude-code / claude	✅ SUCCESS

All required checks pass. Skipped checks (dependabot, npm/pnpm/pip/cargo audit, govulncheck) are not applicable to shell scripts.

---

Reviewed automatically by the don-petry PR-review agent (single-reviewer mode: opus 4.6). Reply with @don-petry if you need a human.