Skip to content

ci(auto-merge): consume reusable workflow from renovate-config #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
github-actions merged 4 commits into from
May 5, 2026
+9 −139
Merged

ci(auto-merge): consume reusable workflow from renovate-config #103

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
879e345
ci(auto-merge): consume reusable workflow from renovate-config
ANcpLua May 5, 2026
23aea09
chore(ci): bump claude-code-review fetch-depth 20 → 100
ANcpLua May 5, 2026
db8403b
Merge branch 'main' into ci/auto-merge-reusable-app-token
ANcpLua May 5, 2026
1321680
Merge branch 'main' into ci/auto-merge-reusable-app-token
ANcpLua May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
146 changes: 8 additions & 138 deletions .github/workflows/auto-merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,9 @@
# Auto-merge workflow for trusted PRs
# Thin caller — delegates to the reusable workflow at
# ANcpLua/renovate-config (single source of truth across the framework).
#
# Tiers:
# 1a. Dependabot PRs: Auto-approve + auto-merge for patch/minor
# 1b. Renovate PRs: Auto-approve + auto-merge
# 2. AI Agent fix PRs (copilot/, jules/, claude/): Auto-merge when CI passes
# 3. CodeRabbit approved PRs: Auto-merge when CI passes
# 4. Owner PRs: Auto-merge when CI passes
# Required secrets in this repo:
# AUTOMERGE_APP_ID, AUTOMERGE_APP_PRIVATE_KEY
# See https://github.com/ANcpLua/renovate-config#auto-merge-reusable-workflow

name: Auto-merge

Expand All @@ -20,134 +18,6 @@ permissions:
pull-requests: write

jobs:
dependabot-auto-merge:
name: Dependabot auto-merge
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'

steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Auto-approve patch and minor updates
if: steps.metadata.outputs.update-type != 'version-update:semver-major'
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr review --approve "$PR_URL"

- name: Enable auto-merge for patch and minor
if: steps.metadata.outputs.update-type != 'version-update:semver-major'
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr merge --auto --squash "$PR_URL"

- name: Request Claude review for major updates
if: steps.metadata.outputs.update-type == 'version-update:semver-major'
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DEP_NAMES: ${{ steps.metadata.outputs.dependency-names }}
PREV_VERSION: ${{ steps.metadata.outputs.previous-version }}
NEW_VERSION: ${{ steps.metadata.outputs.new-version }}
run: |
gh pr comment "$PR_URL" --body "## ⚠️ Major Version Update

@claude Please review this major version update for breaking changes and merge if safe.

| Dependency | Update |
|------------|--------|
| \`$DEP_NAMES\` | \`$PREV_VERSION\` → \`$NEW_VERSION\` |

Check the changelog and verify compatibility."

renovate-auto-merge:
name: Renovate auto-merge
runs-on: ubuntu-latest
if: github.actor == 'renovate[bot]'

steps:
- name: Auto-approve Renovate PRs
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr review --approve "$PR_URL"

- name: Enable auto-merge for Renovate
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr merge --auto --squash "$PR_URL"

ai-agent-auto-merge:
name: AI Agent auto-merge
runs-on: ubuntu-latest
if: |
(github.actor == 'copilot[bot]' || github.actor == 'jules[bot]' || github.actor == 'claude-code[bot]') &&
(
startsWith(github.event.pull_request.head.ref, 'copilot/') ||
startsWith(github.event.pull_request.head.ref, 'jules/') ||
startsWith(github.event.pull_request.head.ref, 'claude/')
)

steps:
- name: Identify AI agent
id: agent
env:
BRANCH: ${{ github.event.pull_request.head.ref }}
run: |
if [[ "$BRANCH" == copilot/* ]]; then
echo "agent=Copilot" >> "$GITHUB_OUTPUT"
elif [[ "$BRANCH" == jules/* ]]; then
echo "agent=Jules" >> "$GITHUB_OUTPUT"
elif [[ "$BRANCH" == claude/* ]]; then
echo "agent=Claude" >> "$GITHUB_OUTPUT"
fi

- name: Auto-approve AI agent PRs
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AGENT: ${{ steps.agent.outputs.agent }}
run: |
echo "Auto-approving $AGENT PR"
gh pr review --approve "$PR_URL" --body "✅ Auto-approved: $AGENT autonomous fix PR"

- name: Enable auto-merge for AI agent PRs
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr merge --auto --squash "$PR_URL"

coderabbit-auto-merge:
name: CodeRabbit auto-merge
runs-on: ubuntu-latest
if: |
github.event_name == 'pull_request_review' &&
github.event.review.state == 'approved' &&
github.event.review.user.login == 'coderabbitai[bot]'

steps:
- name: Enable auto-merge for CodeRabbit approved PRs
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr merge --auto --squash "$PR_URL"

owner-auto-merge:
name: Owner auto-merge
runs-on: ubuntu-latest
if: |
github.event.pull_request.user.login == github.event.repository.owner.login &&
github.event.pull_request.draft == false

steps:
- name: Enable auto-merge for owner PRs
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr merge --auto --squash "$PR_URL"
auto-merge:
uses: ANcpLua/renovate-config/.github/workflows/auto-merge-reusable.yml@main
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pin reusable workflow reference to an immutable revision

Referencing the reusable workflow as @main makes this repository execute whatever happens to be on that branch at runtime, so upstream pushes can silently change merge behavior or break this repo without any local diff. Since the called workflow runs with write permissions and inherited secrets, this is also a security hardening gap; pin to a full commit SHA (or controlled release tag) for deterministic behavior.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

find . -name "auto-merge.yml" -o -name "auto-merge*.yml" | head -20

Repository: ANcpLua/ANcpLua.NET.Sdk

Length of output: 102

🏁 Script executed:

cat -n .github/workflows/auto-merge.yml 2>/dev/null | head -30

Repository: ANcpLua/ANcpLua.NET.Sdk

Length of output: 847

Pin the reusable workflow to a commit SHA.

@main makes this privileged caller consume mutable workflow code from another repository. GitHub documents commit SHAs as the safest option for stability and security on reusable workflows. Pin this to the exact commit you reviewed.

Suggested change 
-    uses: ANcpLua/renovate-config/.github/workflows/auto-merge-reusable.yml@main
+    uses: ANcpLua/renovate-config/.github/workflows/auto-merge-reusable.yml@<commit-sha>
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-merge.yml at line 22, Replace the mutable branch
reference in the reusable workflow call with a specific commit SHA: change the
uses value
"ANcpLua/renovate-config/.github/workflows/auto-merge-reusable.yml@main" to the
same path but pinned to the exact commit SHA you reviewed (e.g.,
"ANcpLua/renovate-config/.github/workflows/auto-merge-reusable.yml@<commit-sha>");
update the single uses line in .github/workflows/auto-merge.yml so the reusable
workflow is referenced by that immutable commit hash.

secrets: inherit
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restrict secrets passed to reusable auto-merge workflow

Using secrets: inherit forwards every secret available to this workflow (repository, organization, and environment secrets) to the called workflow job, not just the two auto-merge app secrets. Because this job calls a workflow in another repository, any change there can access unrelated secrets and turn this into a broad credential-exposure path; pass only the required secret names explicitly instead.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

find . -name "auto-merge.yml" -type f

Repository: ANcpLua/ANcpLua.NET.Sdk

Length of output: 102

🏁 Script executed:

cat -n ./.github/workflows/auto-merge.yml

Repository: ANcpLua/ANcpLua.NET.Sdk

Length of output: 847

Replace secrets: inherit with explicit secret mapping.

Line 23 uses secrets: inherit, passing all caller secrets to the reusable workflow despite the file documenting only two required secrets: AUTOMERGE_APP_ID and AUTOMERGE_APP_PRIVATE_KEY. This unnecessarily widens the blast radius and violates the principle of minimal permissions per job.

Fix 
-    secrets: inherit
+    secrets:
+      AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
+      AUTOMERGE_APP_PRIVATE_KEY: ${{ secrets.AUTOMERGE_APP_PRIVATE_KEY }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
secrets: inherit
secrets:
AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
AUTOMERGE_APP_PRIVATE_KEY: ${{ secrets.AUTOMERGE_APP_PRIVATE_KEY }}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-merge.yml at line 23, Replace the broad "secrets:
inherit" usage with an explicit secrets mapping that only passes the documented
secrets; remove "secrets: inherit" and add explicit keys for AUTOMERGE_APP_ID
and AUTOMERGE_APP_PRIVATE_KEY (mapping each to their corresponding repository
secret, e.g. set AUTOMERGE_APP_ID to the repository secret AUTOMERGE_APP_ID and
AUTOMERGE_APP_PRIVATE_KEY to the repository secret AUTOMERGE_APP_PRIVATE_KEY) so
the reusable workflow only receives those two secrets.

2 changes: 1 addition & 1 deletion .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ github.event.pull_request.head.ref }}
fetch-depth: 20
fetch-depth: 100

- name: Run Claude Code Review (agentic)
id: claude-review
Expand Down
Loading