chore: repository hardening and automation improvements

## Overview

Tracking repository hardening items and automation improvements.

---

## 1. Dependabot Auto-Merge GitHub App Permissions

**Problem**: Current `gh` CLI cannot auto-merge dependabot PRs that modify workflow files due to missing `workflow` scope.

**Solution**: Create/configure a GitHub App with permissions to auto-merge workflow-modifying PRs.

### Required GitHub App Permissions

| Permission | Access | Reason |
|------------|--------|--------|
| **Contents** | Read & Write | Push to branches, merge PRs |
| **Pull Requests** | Read & Write | Enable auto-merge, update PRs |
| **Workflows** | Read & Write | Merge PRs that modify `.github/workflows/**` |
| **Metadata** | Read | Required for all apps |

### Implementation Options

**Option A: Extend x-repo-auth App**
- Add `workflows: write` permission to existing x-repo-auth app
- Use same 1Password integration pattern
- Simpler - single app for all elevated operations

**Option B: Dedicated dependabot-merge App**
- Create separate app with minimal permissions for dependabot merging
- Better separation of concerns
- More complex - another app to manage

### Usage Pattern (following x-repo-auth)

```yaml
- name: Load secrets from 1Password
  id: op-secrets
  uses: 1password/load-secrets-action@v2
  with:
    export-env: false
  env:
    OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
    DEPENDABOT_MERGE_APP_ID: op://gh-shared/dependabot-merge/app/id
    DEPENDABOT_MERGE_PRIVATE_KEY: op://gh-shared/dependabot-merge/app/private-key.pem

- name: Generate token
  id: app-token
  uses: actions/create-github-app-token@v1
  with:
    app-id: ${{ steps.op-secrets.outputs.DEPENDABOT_MERGE_APP_ID }}
    private-key: ${{ steps.op-secrets.outputs.DEPENDABOT_MERGE_PRIVATE_KEY }}

- name: Merge dependabot PR
  env:
    GH_TOKEN: ${{ steps.app-token.outputs.token }}
  run: gh pr merge $PR_NUMBER --squash
```

### Affected PRs (current)
- #102, #103, #104, #107 - cannot auto-merge due to workflow modifications

---

## 2. Future Hardening Items

- [ ] Tag protection rules for release tags (`*-v*`)
- [ ] Input validation for `repository_dispatch` triggers (#136)
- [ ] Branch protection audit
- [ ] Secret scanning configuration
- [ ] Dependabot security updates (not just version updates)

---

## Labels
- `enhancement`
- `cicd`
- `security`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: repository hardening and automation improvements #143

Overview

1. Dependabot Auto-Merge GitHub App Permissions

Required GitHub App Permissions

Implementation Options

Usage Pattern (following x-repo-auth)

Affected PRs (current)

2. Future Hardening Items

Labels

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Permission	Access	Reason
Contents	Read & Write	Push to branches, merge PRs
Pull Requests	Read & Write	Enable auto-merge, update PRs
Workflows	Read & Write	Merge PRs that modify `.github/workflows/**`
Metadata	Read	Required for all apps

chore: repository hardening and automation improvements #143

Description

Overview

1. Dependabot Auto-Merge GitHub App Permissions

Required GitHub App Permissions

Implementation Options

Usage Pattern (following x-repo-auth)

Affected PRs (current)

2. Future Hardening Items

Labels

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions