fix: auto-detect merge strategy in workflow templates

GitHub cannot auto-sign rebased commits, so repos with branch
protection requiring signed commits block --rebase merges. Updated
templates to auto-detect the allowed merge strategy (squash > merge >
rebase) instead of hardcoding a specific strategy.

Also added documentation about signed commit + rebase incompatibility
and the auto-detection pattern to the auto-merge guide.

Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>

Author: CybotTM

skills/github-project/assets/auto-merge-direct.yml.template

@@ -3,8 +3,7 @@
 # Use this template when: Repository has no branch protection rules
 # Note: --auto flag requires branch protection; this template uses direct merge
 # Note: PRs that modify workflow files require manual merge (GITHUB_TOKEN limitation)
-# IMPORTANT: The merge method (--merge/--squash/--rebase) in the "Merge PR" step
-# MUST match the repository's allowed merge methods. Check Settings > General > Pull Requests.
+# Merge strategy is auto-detected from repo settings (squash > merge > rebase).
 name: Auto-merge dependency PRs
 
 on:
@@ -88,10 +87,20 @@ jobs:
 
       - name: Merge PR
         if: steps.check-workflows.outputs.modifies_workflows != 'true'
-        run: gh pr merge --rebase "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Detect allowed merge strategy
+          # Prefer squash (works with signed commit requirements, clean for single-commit PRs)
+          # then merge (also works with signed commits), then rebase (cannot be auto-signed)
+          STRATEGY=$(gh api "repos/${{ github.repository }}" --jq '
+            if .allow_squash_merge then "--squash"
+            elif .allow_merge_commit then "--merge"
+            elif .allow_rebase_merge then "--rebase"
+            else "--squash" end')
+          echo "Using merge strategy: $STRATEGY"
+          gh pr merge $STRATEGY "$PR_URL"
 
       - name: Comment on workflow PR
         if: steps.check-workflows.outputs.modifies_workflows == 'true'

skills/github-project/assets/auto-merge.yml.template

@@ -1,17 +1,15 @@
-# .github/workflows/auto-merge.yml
+# .github/workflows/auto-merge-deps.yml
 # Auto-merge dependency updates from Dependabot and Renovate
 # Requires: branch protection enabled (--auto flag needs it)
-# IMPORTANT: The merge method (--merge/--squash/--rebase) MUST match the
-# repository's allowed merge methods. Check Settings > General > Pull Requests.
-name: Auto-merge dependency updates
+# Merge strategy is auto-detected from repo settings (squash > merge > rebase)
+name: Auto-merge dependency PRs
 
 on:
   pull_request_target:
     types: [opened, synchronize, reopened]
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   auto-merge:
@@ -23,28 +21,34 @@ jobs:
       github.event.pull_request.user.login == 'dependabot[bot]' ||
       github.event.pull_request.user.login == 'renovate[bot]'
 
+    permissions:
+      contents: write
+      pull-requests: write
+
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@v2
         with:
           egress-policy: audit
 
-      - name: Dependabot metadata
-        id: metadata
-        if: github.event.pull_request.user.login == 'dependabot[bot]'
-        uses: dependabot/fetch-metadata@v2
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-
-      - name: Auto-approve PR
+      - name: Approve PR
         run: gh pr review --approve "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Enable auto-merge
-        # Change --squash to --merge or --rebase to match repo settings
-        run: gh pr merge --auto --squash "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Detect allowed merge strategy
+          # Prefer squash (works with signed commit requirements, clean for single-commit PRs)
+          # then merge (also works with signed commits), then rebase (cannot be auto-signed)
+          STRATEGY=$(gh api "repos/${{ github.repository }}" --jq '
+            if .allow_squash_merge then "--squash"
+            elif .allow_merge_commit then "--merge"
+            elif .allow_rebase_merge then "--rebase"
+            else "--squash" end')
+          echo "Using merge strategy: $STRATEGY"
+          gh pr merge --auto $STRATEGY "$PR_URL"

skills/github-project/references/auto-merge-guide.md

@@ -44,7 +44,8 @@ EOF
 | Renovate PR not using bypass | Workflow racing with Renovate | Only approve in workflow; let Renovate enable auto-merge via `platformAutomerge` |
 | CI can't push to main | Branch protection blocks direct push | Use Renovate `lockFileMaintenance` instead |
 | Workflow not triggering | Rapid merges skip push events | Add `workflow_dispatch` trigger, run manually |
-| "Merge method X not allowed" | Wrong merge strategy | Check `gh api repos/O/R --jq '{merge: .allow_merge_commit, squash: .allow_squash_merge, rebase: .allow_rebase_merge}'`; match workflow |
+| "Merge method X not allowed" | Wrong merge strategy | Use auto-detection (see below) or check `gh api repos/O/R --jq '{merge: .allow_merge_commit, squash: .allow_squash_merge, rebase: .allow_rebase_merge}'` |
+| "Rebase merges cannot be automatically signed" | Signed commits + rebase | Enable squash merge on the repo; rebase merges cannot be auto-signed by GitHub |
 | Bot detection misses reruns | `github.actor` changes on synchronize | Use `github.event.pull_request.user.login` instead of `github.actor` |
 | Gitleaks fails on bot PRs | `GITLEAKS_LICENSE` secret unavailable | Skip gitleaks for bot PRs or use `.gitleaks.toml` allowlist |
 | Old PRs not auto-merging | Opened before workflow existed | Comment `@dependabot rebase` / `@renovate rebase` to trigger `synchronize` |
@@ -138,6 +139,38 @@ When landing multiple dependent PRs, expect the dependent PRs to need rebasing a
 | `REVIEW_REQUIRED` after rebase | Stale review dismissal cleared approval | Re-run auto-approve workflow |
 | Unresolved threads block merge | Old threads survive rebase | Resolve via GraphQL `resolveReviewThread` |
 
+## Signed Commits and Merge Strategy Compatibility
+
+GitHub can only auto-sign **merge commits** and **squash merges**. It **cannot** auto-sign rebased commits. If branch protection requires signed commits and the workflow uses `--rebase`, merges fail with:
+
+> `Base branch requires signed commits. Rebase merges cannot be automatically signed by GitHub.`
+
+### Auto-detect Merge Strategy
+
+Instead of hardcoding `--merge`, `--squash`, or `--rebase`, auto-detect from repo settings:
+
+```bash
+STRATEGY=$(gh api "repos/${{ github.repository }}" --jq '
+  if .allow_squash_merge then "--squash"
+  elif .allow_merge_commit then "--merge"
+  elif .allow_rebase_merge then "--rebase"
+  else "--squash" end')
+gh pr merge --auto $STRATEGY "$PR_URL"
+```
+
+**Priority order:** squash > merge > rebase. Squash is preferred because:
+1. Works with signed commit requirements (GitHub can sign squash merges)
+2. Clean history for single-commit dependency PRs
+3. Most universally compatible
+
+### Enabling Squash Merge on Repos
+
+If a repo only allows rebase merges and requires signed commits, enable squash:
+
+```bash
+gh api repos/OWNER/REPO -X PATCH -f allow_squash_merge=true
+```
+
 ## Recommended Renovate Config for Auto-merge
 
 ```json