From 3b7f2a624fe18d57bfb95d31959f0c348165546c Mon Sep 17 00:00:00 2001 From: Paperclip Date: Wed, 15 Apr 2026 04:13:33 +0000 Subject: [PATCH 1/3] feat: add auto-merge workflow with proper step gating - Add 'approved' output from dual approval check step - Gate merge readiness check and enable-auto-merge steps with approval output - Exit 1 when dual approval fails to properly block merge - Exit 1 for all merge readiness failure cases - Install gh CLI before merge step - Use CTO app installation token for merge operations (requires CTO_APP_* secrets) Fixes step gating bug where merge steps ran unconditionally. Token fix requires CTO_APP_ID, CTO_APP_INSTALLATION_ID, CTO_APP_PEM secrets. --- .github/workflows/auto-merge.yaml | 141 ++++++++++++++++++++++++++++++ 1 file changed, 141 insertions(+) create mode 100644 .github/workflows/auto-merge.yaml diff --git a/.github/workflows/auto-merge.yaml b/.github/workflows/auto-merge.yaml new file mode 100644 index 0000000..c2ff004 --- /dev/null +++ b/.github/workflows/auto-merge.yaml @@ -0,0 +1,141 @@ +name: Auto Merge + +on: + pull_request_review: + types: [submitted, dismissed] + pull_request: + types: [opened, reopened, synchronize] + +jobs: + auto-merge: + name: Auto Merge (QA + CTO Approved) + runs-on: runners-privilegedescalation + timeout-minutes: 5 + + steps: + - name: Check dual approval + id: check + env: + GH_TOKEN: ${{ github.token }} + CTO_REVIEWER: privilegedescalation-cto + QA_REVIEWER: privilegedescalation-qa + REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.pull_request.number }} + run: | + echo "Checking approvals on PR #${PR_NUMBER} in ${REPO}" + + REVIEWS=$(curl -sf \ + -H "Authorization: Bearer ${GH_TOKEN}" \ + -H "Accept: application/vnd.github.v3+json" \ + "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews") + + CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \ + '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"') + + QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \ + '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"') + + echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}" + echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}" + + if [ "${CTO_APPROVED}" = "true" ] && [ "${QA_APPROVED}" = "true" ]; then + echo "Both CTO and QA have approved." + echo "approved=true" >> "$GITHUB_OUTPUT" + else + echo "Dual approval not yet complete. Skipping merge." + if [ "${CTO_APPROVED}" != "true" ]; then + echo " Missing: CTO approval from ${CTO_REVIEWER}" + fi + if [ "${QA_APPROVED}" != "true" ]; then + echo " Missing: QA approval from ${QA_REVIEWER}" + fi + echo "approved=false" >> "$GITHUB_OUTPUT" + exit 1 + fi + + - name: Check PR merge readiness + if: steps.check.outputs.approved == 'true' + env: + GH_TOKEN: ${{ github.token }} + REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.pull_request.number }} + run: | + echo "Checking merge readiness for PR #${PR_NUMBER}" + + PR_STATE=$(curl -sf \ + -H "Authorization: Bearer ${GH_TOKEN}" \ + -H "Accept: application/vnd.github.v3+json" \ + "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.mergeable_state') + + echo "PR mergeable_state: ${PR_STATE}" + + if [ "${PR_STATE}" = "clean" ] || [ "${PR_STATE}" = "unstable" ] || [ "${PR_STATE}" = "has_hooks" ]; then + echo "All required status checks passed." + elif [ "${PR_STATE}" = "blocked" ]; then + echo "PR is blocked (required checks not passing)." + exit 1 + elif [ "${PR_STATE}" = "dirty" ]; then + echo "PR has merge conflicts. Cannot auto-merge." + exit 1 + elif [ "${PR_STATE}" = "behind" ]; then + echo "PR is behind base branch. Cannot auto-merge." + exit 1 + else + echo "PR state is '${PR_STATE}' — waiting for checks to complete." + exit 1 + fi + + - name: Generate CTO app installation token + if: steps.check.outputs.approved == 'true' + id: cto-token + env: + GH_TOKEN: ${{ github.token }} + PR_NUMBER: ${{ github.event.pull_request.number }} + run: | + echo "Generating CTO app installation token for merge..." + + b64enc() { openssl enc -base64 -A | tr '+/' '-_' | tr -d '='; } + + NOW=$(date +%s) + HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | jq -r -c .) + PAYLOAD=$(printf '{"iat":%s,"exp":%s,"iss":"%s"}' "$NOW" "$((NOW + 600))" "${{ vars.CTO_APP_ID }}" | jq -r -c .) + SIGNED=$(printf '%s' "$HEADER" | b64enc).$(printf '%s' "$PAYLOAD" | b64enc) + SIG=$(printf '%s' "$SIGNED" | openssl dgst -binary -sha256 -sign "${{ secrets.CTO_APP_PEM }}" | b64enc) + JWT="${SIGNED}.${SIG}" + + CTO_TOKEN=$(curl -s -X POST \ + -H "Authorization: Bearer ${JWT}" \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/app/installations/${{ vars.CTO_APP_INSTALLATION_ID }}/access_tokens" \ + | jq -r '.token') + + echo "cto_token=${CTO_TOKEN}" >> "$GITHUB_OUTPUT" + + - name: Install GitHub CLI + if: steps.check.outputs.approved == 'true' + run: | + if ! command -v gh &>/dev/null; then + GH_VERSION="2.74.0" + curl -fsSL "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz" -o /tmp/gh.tar.gz + tar -xzf /tmp/gh.tar.gz -C /tmp + mkdir -p "$HOME/.local/bin" + mv "/tmp/gh_${GH_VERSION}_linux_amd64/bin/gh" "$HOME/.local/bin/gh" + rm -rf /tmp/gh.tar.gz "/tmp/gh_${GH_VERSION}_linux_amd64" + echo "$HOME/.local/bin" >> "$GITHUB_PATH" + "$HOME/.local/bin/gh" --version + fi + + - name: Enable auto-merge + if: steps.check.outputs.approved == 'true' + env: + GH_TOKEN: ${{ steps.cto-token.outputs.cto_token }} + PR_NUMBER: ${{ github.event.pull_request.number }} + run: | + echo "Enabling auto-merge for PR #${PR_NUMBER}" + if ! "$HOME/.local/bin/gh" pr merge "${PR_NUMBER}" --auto --squash --delete-branch 2>&1; then + echo "::warning::Auto-merge not available. Falling back to direct squash merge." + "$HOME/.local/bin/gh" pr merge "${PR_NUMBER}" --squash --delete-branch + else + echo "Auto-merge enabled successfully." + fi \ No newline at end of file From cdd85cad629df1dba1bdbc87f9db42daad4fbef7 Mon Sep 17 00:00:00 2001 From: Gandalf Date: Wed, 15 Apr 2026 10:38:51 +0000 Subject: [PATCH 2/3] Address QA feedback on auto-merge workflow (PRI-138) - Add trailing newline (fix missing newline at EOF) - Add comment clarifying jq filter uses last review per user (GitHub review model) - Add early validation for CTO_APP_ID, CTO_APP_INSTALLATION_ID, CTO_APP_PEM secrets with error referencing PRI-103 QA feedback from PRI-138 --- .github/workflows/auto-merge.yaml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/auto-merge.yaml b/.github/workflows/auto-merge.yaml index c2ff004..1c42698 100644 --- a/.github/workflows/auto-merge.yaml +++ b/.github/workflows/auto-merge.yaml @@ -24,6 +24,11 @@ jobs: run: | echo "Checking approvals on PR #${PR_NUMBER} in ${REPO}" + if [ -z "${{ vars.CTO_APP_ID }}" ] || [ -z "${{ vars.CTO_APP_INSTALLATION_ID }}" ] || [ -z "${{ secrets.CTO_APP_PEM }}" ]; then + echo "::error::Missing CTO app configuration. Set CTO_APP_ID, CTO_APP_INSTALLATION_ID (repository variables), and CTO_APP_PEM (secret) before enabling auto-merge. See PRI-103." + exit 1 + fi + REVIEWS=$(curl -sf \ -H "Authorization: Bearer ${GH_TOKEN}" \ -H "Accept: application/vnd.github.v3+json" \ @@ -32,9 +37,14 @@ jobs: CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \ '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"') + # Note: GitHub review model returns all reviews; `last` here intentionally picks the most recent review per user. + # A user cannot have two approvals on the same PR, so this correctly checks whether the latest review is an approval. + QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \ '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"') + # Note: Same as above — `last` per user reflects the most recent review state. + echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}" echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}" @@ -138,4 +148,5 @@ jobs: "$HOME/.local/bin/gh" pr merge "${PR_NUMBER}" --squash --delete-branch else echo "Auto-merge enabled successfully." - fi \ No newline at end of file + fi + From d6e8d33f30b4fbfb44ba46315f03cb7420dac53b Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Wed, 15 Apr 2026 10:55:28 +0000 Subject: [PATCH 3/3] fix: write PEM secret to temp file for openssl dgst -sign openssl dgst -sign expects a file path, not inline PEM content. Write secret to temp file, use it for signing, then clean up. Also remove unused GH_TOKEN and PR_NUMBER env vars from this step. Closes PRI-142. --- .github/workflows/auto-merge.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/auto-merge.yaml b/.github/workflows/auto-merge.yaml index 1c42698..6972fcd 100644 --- a/.github/workflows/auto-merge.yaml +++ b/.github/workflows/auto-merge.yaml @@ -98,21 +98,24 @@ jobs: - name: Generate CTO app installation token if: steps.check.outputs.approved == 'true' id: cto-token - env: - GH_TOKEN: ${{ github.token }} - PR_NUMBER: ${{ github.event.pull_request.number }} run: | echo "Generating CTO app installation token for merge..." + CTO_PEM_FILE=$(mktemp) + echo "${{ secrets.CTO_APP_PEM }}" > "$CTO_PEM_FILE" + chmod 600 "$CTO_PEM_FILE" + b64enc() { openssl enc -base64 -A | tr '+/' '-_' | tr -d '='; } NOW=$(date +%s) HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | jq -r -c .) PAYLOAD=$(printf '{"iat":%s,"exp":%s,"iss":"%s"}' "$NOW" "$((NOW + 600))" "${{ vars.CTO_APP_ID }}" | jq -r -c .) SIGNED=$(printf '%s' "$HEADER" | b64enc).$(printf '%s' "$PAYLOAD" | b64enc) - SIG=$(printf '%s' "$SIGNED" | openssl dgst -binary -sha256 -sign "${{ secrets.CTO_APP_PEM }}" | b64enc) + SIG=$(printf '%s' "$SIGNED" | openssl dgst -binary -sha256 -sign "$CTO_PEM_FILE" | b64enc) JWT="${SIGNED}.${SIG}" + rm -f "$CTO_PEM_FILE" + CTO_TOKEN=$(curl -s -X POST \ -H "Authorization: Bearer ${JWT}" \ -H "Accept: application/vnd.github+json" \