ci: install safe-paths auto-merge

[topcoder1]

Adds the safe-paths auto-merge caller from topcoder1/ci-workflows.

What this enables:

• PRs whose diff touches only safe paths (docs/**, tests/**, test_*.py, *_test.*, *.test.*, *.spec.*, **/__tests__/**) get gh pr merge --auto --squash called automatically — any author.
• All-or-nothing: any one unsafe path defers to claude-author-automerge.yml or manual click.
• Branch protection still applies — required checks must pass before auto-merge fires.

Why this is safe:

• Docs have zero runtime impact.
• Tests cannot break runtime (failing tests do not ship; passing tests do not change behavior).
• Maintainers click-merging typo fixes and test additions is alarm-fatigue-by-design — the path classification IS the safety argument.

Auto-merge rationale: workflow file → manual click-merge per CLAUDE.md. The whole point of the workflow being installed is to handle future docs/tests-only PRs — not this one.

🤖 Auto-installed via install-safe-paths-automerge.sh

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

[github-actions]

Auto-merge blocked — risk-tier paths touched.

This Claude-authored PR modifies files matching the risk-tier patterns
defined in the global CLAUDE.md policy (auth / secrets / migrations /
billing / production infra). Manual click-merge required.

Matched files:

.github/workflows/safe-paths-automerge.yml (matched: ^\.github/workflows/.*)```

Override only after review: add the `auto-merge` label. The risk-tier check
still runs — override does not bypass it. If a path is misclassified, fix it
in `topcoder1/ci-workflows/.github/workflows/claude-author-automerge.yml`.

[claude]

Supply-chain risk: floating @main ref + secrets: inherit

@main is a mutable pointer. If topcoder1/ci-workflows is ever compromised (or its main branch is force-pushed), this workflow silently changes behavior in this repo with no review gate — and because secrets: inherit passes all repository secrets, the attacker immediately has read access to every secret plus the contents: write / pull-requests: write permissions declared at the caller level.

Pin to a specific commit SHA instead:

Suggested change

	uses: topcoder1/ci-workflows/.github/workflows/safe-paths-automerge.yml@main
	secrets: inherit
	uses: topcoder1/ci-workflows/.github/workflows/safe-paths-automerge.yml@<SHA>
	secrets: inherit

Update the SHA on each intentional upgrade. This is the standard mitigation for reusable-workflow supply-chain attacks and is enforced by GitHub's own security hardening guide (pin-actions / pin-reusable-workflows).

[claude]

Flagged 1 issue inline: floating @main ref combined with secrets: inherit is a supply-chain risk — pin the reusable workflow call to a commit SHA.