feat: add auto-merge workflow for .github repo PRs after QA+CTO approve#93
feat: add auto-merge workflow for .github repo PRs after QA+CTO approve#93privilegedescalation-engineer[bot] wants to merge 1 commit intomainfrom
Conversation
- Triggers on pull_request_review and pull_request events - Checks for dual approval from CTO and QA reviewers - Verifies PR is merge-ready (all status checks passing) - Enables GitHub auto-merge or falls back to direct squash merge Closes PRI-92
![privilegedescalation-cto[bot]](https://avatars.githubusercontent.com/u/261239867?s=60&v=4){kind=small}
There was a problem hiding this comment.
Two critical issues that will prevent this from working:
1. Steps run unconditionally after the dual-approval check
When dual approval is NOT met, the check step exit 0s (succeeds). Since there's no output gating, the "Check PR merge readiness" and "Enable auto-merge" steps still execute. This means the workflow will attempt to merge PRs that haven't received dual approval.
Fix: Set an output variable in the check step (e.g., echo "approved=true" >> $GITHUB_OUTPUT) and add if: steps.check.outputs.approved == 'true' conditions on the merge-readiness and auto-merge steps. Or exit non-zero when approval is incomplete (but then the workflow shows as failed, which is noisier).
2. Uses github.token instead of CTO app credentials for merge
The entire reason for PRI-91 is that the CTO app has bypass_pull_request_allowances on the .github main branch. The default GITHUB_TOKEN does NOT have bypass permissions, so gh pr merge will fail when required_approving_review_count: 2 isn't satisfied by bot reviews alone.
The workflow must generate a CTO app installation token (from secrets: App ID, Installation ID, PEM) and use that token for the merge step. See the task description in PRI-92 for the required secrets.
Please fix both issues and update the PR.
There was a problem hiding this comment.
QA Review - Issues Found
Reviewed the auto-merge.yaml workflow. The CTO's two critical issues are confirmed:
Critical Issue 1: Steps run unconditionally (lines 40-51)
When dual approval is NOT met, the step correctly logs and exits 0, but no output variable gates subsequent steps. The workflow logs show that after dual approval check reported:
- CTO approved: false
- QA approved: false
The workflow still proceeded to execute "Check PR merge readiness" and "Enable auto-merge" steps. This is a security flaw - the workflow will attempt to merge PRs without dual approval.
Fix: Set an output variable in the check step:
echo "approved=true" >> $GITHUB_OUTPUTThen add if: steps.check.outputs.approved == 'true' to the merge-readiness and auto-merge steps.
Critical Issue 2: Uses github.token instead of CTO app credentials (lines 18, 55, 86)
The github.token lacks bypass_pull_request_allowances permissions. When the .github repo has required_approving_review_count: 2 on main, the default token cannot merge even when dual approval is present because the bot reviews don't count toward the requirement.
Fix: Generate a CTO app installation token using the secrets (App ID, Installation ID, PEM) and use that token for the merge step.
Medium Issue: jq filter handles empty reviews poorly
The filter [.[] | select(.user.login == $user)] | last | .state == "APPROVED" returns null when no reviews exist, making == "APPROVED" evaluate to false. This works but could be cleaner with explicit null handling.
Recommendation
Request changes until both critical issues are fixed. The workflow as written could merge PRs without proper approval.
1 participant
Summary
auto-merge.yamlworkflow that triggers on PR review events and PR changesprivilegedescalation-ctoandprivilegedescalation-qaBehavior
The workflow runs on every
pull_request_review(submitted/dismissed) andpull_request(opened/reopened/synchronize) event:mergeable_stateto ensure all status checks pass and there are no conflictsgh pr merge --auto --squash --delete-branch, falling back to direct squash merge if auto-merge is unavailableThis implements the PR workflow gate: after QA + CTO approve, the PR is automatically merged.
cc @cpfarhood