ci(auto-merge): consume reusable workflow from renovate-config

[ANcpLua]

Summary

Replaces the local auto-merge workflow with a thin caller delegating to the new reusable workflow at ANcpLua/renovate-config (PR #5 there).

Why

When the Owner / AI Agent / CodeRabbit tier calls gh pr merge --auto under GITHUB_TOKEN identity, GitHub records the eventual native-auto-merge as performed by github-actions[bot]. Per GitHub docs, events triggered by GITHUB_TOKEN (other than workflow_dispatch / repository_dispatch) do NOT trigger new workflow runs — anti-loop protection. So the resulting push: main is silently dropped and downstream publish workflows never fire.

Symptom seen on 2026-05-04: ANcpLua.NET.Sdk PR #99 merged at 20:22:30 UTC. The push: main event for the merge commit produced ZERO workflow runs. SDK had to be manually dispatched via gh workflow run to ship v3.4.16.

The fix uses a GitHub App installation token. The App becomes the merge actor; events fire normally.

Required setup

This PR is draft until two repo secrets exist:

• AUTOMERGE_APP_ID — the numeric App ID
• AUTOMERGE_APP_PRIVATE_KEY — full PEM contents of the App's private key

Setup is a one-time 5-min manual step:

1. https://github.com/settings/apps/new — permissions: Contents (Write), Pull requests (Write)
2. Generate private key, download .pem
3. Install the App on this repo
4. Add the two secrets

Once the secrets are in place this PR can be marked ready and merged.

Test plan

• Once secrets exist, mark this PR ready
• Verify Auto-merge workflow fires correctly via the reusable workflow
• Open a follow-up Owner-tier PR, confirm downstream publish workflow triggers on merge

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflows to streamline continuous integration processes and improve overall system maintainability
  • Consolidated auto-merge functionality through adoption of a unified, reusable workflow configuration approach that reduces redundancy and simplifies management
  • Enhanced code review workflow to fetch and analyze extended Git history, enabling more thorough, accurate, and contextual reviews of incoming changes

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request consolidates GitHub Actions workflow automation across two files. In auto-merge.yml, five distinct auto-merge jobs (Dependabot, Renovate, AI-agent, CodeRabbit, and owner-initiated) are replaced with a single delegated job that invokes an external reusable workflow, passing inherited secrets. Simultaneously, the claude-code-review.yml workflow increases Git history depth from 20 to 100 commits during PR checkout. These changes centralize merge logic externally while extending available commit history for code analysis.

🚥 Pre-merge checks | ✅ 8

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows conventional commit format (ci prefix), is well under 72 characters (62 chars), clearly describes the main change (consuming reusable workflow), and contains no trailing period.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No Datetime.Now/Utcnow	✅ Passed	No C# files added or modified in this PR. Check is not applicable—only workflow YAML files changed.
No .Result/.Wait() Blocking Async	✅ Passed	PR modifies only GitHub Actions workflow YAML files (.yml). No C# source files added/modified. Check scope (C# files) not applicable.
No Null-Forgiving Operator Without Justification	✅ Passed	No C# files modified in this PR. Check scans C# files only. Workflow-only changes fall outside scope.
No Suppression Of Fixable Diagnostics	✅ Passed	No C# files were modified in this PR. The check only applies to added/modified C# files containing warning suppressions. Changes affect only GitHub Actions workflows (.yml files).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

@coderabbitai autofix

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Autofix skipped. No unresolved CodeRabbit review comments with fix instructions found.

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

@coderabbitai autofix

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Autofix skipped. No unresolved CodeRabbit review comments with fix instructions found.

[github-actions]

@coderabbitai autofix

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Autofix skipped. No unresolved CodeRabbit review comments with fix instructions found.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 23aea091e3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restrict secrets passed to reusable auto-merge workflow

Using secrets: inherit forwards every secret available to this workflow (repository, organization, and environment secrets) to the called workflow job, not just the two auto-merge app secrets. Because this job calls a workflow in another repository, any change there can access unrelated secrets and turn this into a broad credential-exposure path; pass only the required secret names explicitly instead.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Pin reusable workflow reference to an immutable revision

Referencing the reusable workflow as @main makes this repository execute whatever happens to be on that branch at runtime, so upstream pushes can silently change merge behavior or break this repo without any local diff. Since the called workflow runs with write permissions and inherited secrets, this is also a security hardening gap; pin to a full commit SHA (or controlled release tag) for deterministic behavior.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-merge.yml:
- Line 23: Replace the broad "secrets: inherit" usage with an explicit secrets
mapping that only passes the documented secrets; remove "secrets: inherit" and
add explicit keys for AUTOMERGE_APP_ID and AUTOMERGE_APP_PRIVATE_KEY (mapping
each to their corresponding repository secret, e.g. set AUTOMERGE_APP_ID to the
repository secret AUTOMERGE_APP_ID and AUTOMERGE_APP_PRIVATE_KEY to the
repository secret AUTOMERGE_APP_PRIVATE_KEY) so the reusable workflow only
receives those two secrets.
- Line 22: Replace the mutable branch reference in the reusable workflow call
with a specific commit SHA: change the uses value
"ANcpLua/renovate-config/.github/workflows/auto-merge-reusable.yml@main" to the
same path but pinned to the exact commit SHA you reviewed (e.g.,
"ANcpLua/renovate-config/.github/workflows/auto-merge-reusable.yml@<commit-sha>");
update the single uses line in .github/workflows/auto-merge.yml so the reusable
workflow is referenced by that immutable commit hash.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c22d55b0-18da-462d-8d54-84bc705502a7

📥 Commits

Reviewing files that changed from the base of the PR and between db81335 and 23aea09.

📒 Files selected for processing (2)

• .github/workflows/auto-merge.yml
• .github/workflows/claude-code-review.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 180000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: claude-review

🧰 Additional context used

📓 Path-based instructions (1)

.github/workflows/**

⚙️ CodeRabbit configuration file

.github/workflows/**: Pin third-party actions to SHA. First-party (actions/*) tag-pin OK.
Concurrency groups required on push-triggered workflows.
Secrets via env: not inline. No secrets in logs.
Minimal permissions per job.
Pattern A release: changes to compute_version logic affect every push to
main — flag carefully.

Files:

• .github/workflows/claude-code-review.yml
• .github/workflows/auto-merge.yml

🔇 Additional comments (1)

.github/workflows/claude-code-review.yml (1)

35-35: LGTM. More history, better context.

Expanding shallow clone depth from 20 to 100 commits is sensible for agentic review. No structural concerns.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

find . -name "auto-merge.yml" -o -name "auto-merge*.yml" | head -20

Repository: ANcpLua/ANcpLua.NET.Sdk

Length of output: 102

---

🏁 Script executed:

cat -n .github/workflows/auto-merge.yml 2>/dev/null | head -30

Repository: ANcpLua/ANcpLua.NET.Sdk

Length of output: 847

---

Pin the reusable workflow to a commit SHA.

@main makes this privileged caller consume mutable workflow code from another repository. GitHub documents commit SHAs as the safest option for stability and security on reusable workflows. Pin this to the exact commit you reviewed.

Suggested change

-    uses: ANcpLua/renovate-config/.github/workflows/auto-merge-reusable.yml@main
+    uses: ANcpLua/renovate-config/.github/workflows/auto-merge-reusable.yml@<commit-sha>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-merge.yml at line 22, Replace the mutable branch
reference in the reusable workflow call with a specific commit SHA: change the
uses value
"ANcpLua/renovate-config/.github/workflows/auto-merge-reusable.yml@main" to the
same path but pinned to the exact commit SHA you reviewed (e.g.,
"ANcpLua/renovate-config/.github/workflows/auto-merge-reusable.yml@<commit-sha>");
update the single uses line in .github/workflows/auto-merge.yml so the reusable
workflow is referenced by that immutable commit hash.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

find . -name "auto-merge.yml" -type f

Repository: ANcpLua/ANcpLua.NET.Sdk

Length of output: 102

---

🏁 Script executed:

cat -n ./.github/workflows/auto-merge.yml

Repository: ANcpLua/ANcpLua.NET.Sdk

Length of output: 847

---

Replace secrets: inherit with explicit secret mapping.

Line 23 uses secrets: inherit, passing all caller secrets to the reusable workflow despite the file documenting only two required secrets: AUTOMERGE_APP_ID and AUTOMERGE_APP_PRIVATE_KEY. This unnecessarily widens the blast radius and violates the principle of minimal permissions per job.

Fix

-    secrets: inherit
+    secrets:
+      AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
+      AUTOMERGE_APP_PRIVATE_KEY: ${{ secrets.AUTOMERGE_APP_PRIVATE_KEY }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	secrets: inherit
	secrets:
	AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
	AUTOMERGE_APP_PRIVATE_KEY: ${{ secrets.AUTOMERGE_APP_PRIVATE_KEY }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-merge.yml at line 23, Replace the broad "secrets:
inherit" usage with an explicit secrets mapping that only passes the documented
secrets; remove "secrets: inherit" and add explicit keys for AUTOMERGE_APP_ID
and AUTOMERGE_APP_PRIVATE_KEY (mapping each to their corresponding repository
secret, e.g. set AUTOMERGE_APP_ID to the repository secret AUTOMERGE_APP_ID and
AUTOMERGE_APP_PRIVATE_KEY to the repository secret AUTOMERGE_APP_PRIVATE_KEY) so
the reusable workflow only receives those two secrets.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[github-actions]

@coderabbitai autofix

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

⛔ CodeRabbit does not have permission to push changes to this repository. Please ensure CodeRabbit has Contents: Read and write permission.

SHA-pin/secrets-explicit concerns are upstream-workflow concerns; consumer thin-callers consume @main per the framework pattern. Resolved similarly on Analyzers#107 and qyl#186.