From 2b67c7755795b7eb9ac93b0f0ecb957fda1ba521 Mon Sep 17 00:00:00 2001 From: Paperclip Date: Wed, 15 Apr 2026 01:56:52 +0000 Subject: [PATCH] feat: add auto-merge workflow for .github repo PRs after QA+CTO approve - Triggers on pull_request_review and pull_request events - Checks for dual approval from CTO and QA reviewers - Verifies PR is merge-ready (all status checks passing) - Enables GitHub auto-merge or falls back to direct squash merge Closes PRI-92 --- .github/workflows/auto-merge.yaml | 95 +++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 .github/workflows/auto-merge.yaml diff --git a/.github/workflows/auto-merge.yaml b/.github/workflows/auto-merge.yaml new file mode 100644 index 0000000..ce61b79 --- /dev/null +++ b/.github/workflows/auto-merge.yaml @@ -0,0 +1,95 @@ +name: Auto Merge + +on: + pull_request_review: + types: [submitted, dismissed] + pull_request: + types: [opened, reopened, synchronize] + +jobs: + auto-merge: + name: Auto Merge (QA + CTO Approved) + runs-on: runners-privilegedescalation + timeout-minutes: 5 + + steps: + - name: Check dual approval + env: + GH_TOKEN: ${{ github.token }} + CTO_REVIEWER: privilegedescalation-cto + QA_REVIEWER: privilegedescalation-qa + REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.pull_request.number }} + run: | + echo "Checking approvals on PR #${PR_NUMBER} in ${REPO}" + + REVIEWS=$(curl -sf \ + -H "Authorization: Bearer ${GH_TOKEN}" \ + -H "Accept: application/vnd.github.v3+json" \ + "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews") + + CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \ + '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"') + + QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \ + '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"') + + echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}" + echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}" + + if [ "${CTO_APPROVED}" = "true" ] && [ "${QA_APPROVED}" = "true" ]; then + echo "Both CTO and QA have approved." + else + echo "Dual approval not yet complete. Skipping merge." + if [ "${CTO_APPROVED}" != "true" ]; then + echo " Missing: CTO approval from ${CTO_REVIEWER}" + fi + if [ "${QA_APPROVED}" != "true" ]; then + echo " Missing: QA approval from ${QA_REVIEWER}" + fi + exit 0 + fi + + - name: Check PR merge readiness + env: + GH_TOKEN: ${{ github.token }} + REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.pull_request.number }} + run: | + echo "Checking merge readiness for PR #${PR_NUMBER}" + + PR_STATE=$(curl -sf \ + -H "Authorization: Bearer ${GH_TOKEN}" \ + -H "Accept: application/vnd.github.v3+json" \ + "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.mergeable_state') + + echo "PR mergeable_state: ${PR_STATE}" + + if [ "${PR_STATE}" = "clean" ] || [ "${PR_STATE}" = "unstable" ] || [ "${PR_STATE}" = "has_hooks" ]; then + echo "All required status checks passed." + elif [ "${PR_STATE}" = "blocked" ]; then + echo "PR is blocked (required checks not passing)." + exit 0 + elif [ "${PR_STATE}" = "dirty" ]; then + echo "PR has merge conflicts. Cannot auto-merge." + exit 0 + elif [ "${PR_STATE}" = "behind" ]; then + echo "PR is behind base branch. Cannot auto-merge." + exit 0 + else + echo "PR state is '${PR_STATE}' — waiting for checks to complete." + exit 0 + fi + + - name: Enable auto-merge + env: + GH_TOKEN: ${{ github.token }} + PR_NUMBER: ${{ github.event.pull_request.number }} + run: | + echo "Enabling auto-merge for PR #${PR_NUMBER}" + if ! gh pr merge "${PR_NUMBER}" --auto --squash --delete-branch 2>&1; then + echo "::warning::Auto-merge not available. Falling back to direct squash merge." + gh pr merge "${PR_NUMBER}" --squash --delete-branch + else + echo "Auto-merge enabled successfully." + fi