ci(auto-merge): drop App-based reusable workflow, use native auto-merge

[ANcpLua]

Summary

Replaces the App-based reusable auto-merge workflow with an inline
gh pr merge --auto --squash workflow. No GitHub App, no
AUTOMERGE_* secrets, no reusable workflow dependency.

Why

The AUTOMERGE_APP_ID GitHub App was deleted on 2026-05-12 as an
antipattern:

• single point of failure across 4 framework repos
• maintenance overhead (key rotation, install audits, secret hygiene)
• Renovate's platformAutomerge: true (default) already handles the
  bot tier natively via the shared github>ANcpLua/renovate-config
  preset — no App needed for it
• branch protection on main requires 0 approvals, so the App's classic
  cross-author-approval value-add is moot
• nuget-publish.yml is gated on push: tags v* (manual tag), not on
  push: main, so a GITHUB_TOKEN-driven merge does not break the
  publish chain

What changed

• .github/workflows/auto-merge.yml: removed uses: ANcpLua/renovate-config/.../auto-merge-reusable.yml@<sha> + secrets: inherit; replaced with an inline job that runs gh pr merge --auto --squash for Owner / AI-agent / CodeRabbit-approved PRs.

Test plan

• Repo setting "Allow auto-merge" verified enabled (gh api repos/.../allow_auto_merge → true)
• AUTOMERGE_APP_ID and AUTOMERGE_APP_PRIVATE_KEY secrets
  already deleted from this repo (gh secret list shows none)
• CI on this PR: build + tests still pass; new auto-merge job
  either runs (and enables native auto-merge on this very PR) or
  skips cleanly
• Once merged: next Owner / claude/ / copilot/ / jules/ PR should
  get auto-merge enabled at PR-open without manual gh pr merge --auto

🤖 Generated with Claude Code

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configuration to use native auto-merge functionality with enhanced conditional triggering for AI-generated pull requests, owner-authored changes, and approved code reviews.

[coderabbitai]

📝 Walkthrough

Walkthrough

The workflow file was updated to replace the reusable workflow delegation with direct GitHub native auto-merge implementation. The previous job that called the external reusable workflow was removed. A new enable-auto-merge job was introduced that uses the gh pr merge CLI with GITHUB_TOKEN to enable auto-merge in squash mode. The job conditionally triggers for non-draft pull requests meeting specific criteria: AI/agent branch names, owner-authored PRs, or approved bot reviews. Dependencies on external auto-merge app secrets were eliminated.

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No Datetime.Now/Utcnow	❌ Error	DateTime.Now found in 2 C# test files without required inline comments explaining exception. Tests embed DateTime.Now strings for banned API detection testing.	Add inline comments explaining each DateTime.Now usage in test fixtures (e.g., "// Intentional test case for banned symbol detection").
No Suppression Of Fixable Diagnostics	⚠️ Warning	Three [SuppressMessage] attributes added for CA2000 without inline comments matching CLAUDE.md's acceptable-suppressions allowlist. Test infrastructure suppressions lack required comment markers.	Add inline comments before each suppression with keywords from CLAUDE.md allowlist, or document test infrastructure exceptions in policy.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No .Result/.Wait() Blocking Async	✅ Passed	Scanned all 18 added/modified C# files for blocking async patterns (.Result, .Wait(), .GetAwaiter().GetResult()). No violations detected.
No Null-Forgiving Operator Without Justification	✅ Passed	Scanned all 18 added C# files. No null-forgiving operators (!) found—all ! are logical NOT operators in conditional expressions.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows conventional commits format (ci prefix), is under 72 chars (71), has no trailing period, and accurately describes the main change: replacing App-based workflow with native auto-merge.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

@coderabbitai autofix

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Autofix skipped. No unresolved CodeRabbit review comments with fix instructions found.

[Copilot]

Pull request overview

This PR replaces the repo’s previous App-based, reusable auto-merge workflow with an inline GitHub Actions workflow that enables native GitHub auto-merge using gh pr merge --auto --squash and the built-in GITHUB_TOKEN.

Changes:

• Removed the reusable workflow invocation (and related App/secret assumptions) in favor of an inline job.
• Added logic to enable native auto-merge for certain PR “tiers” (AI-agent branch prefixes, “owner” PRs, and CodeRabbit approvals).
• Updated workflow documentation/comments to reflect the new auto-merge approach and prerequisites.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1f6b507058

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restrict agent-branch auto-merge to trusted authors

The claude/, copilot/, and jules/ checks rely only on pull_request.head.ref, which is attacker-controlled for fork PRs; any external contributor can open a fork branch with one of these prefixes and this job will call gh pr merge --auto --squash on their PR. In this repository’s stated branch-protection model (0 required approvals), that effectively bypasses human review and can auto-merge untrusted changes once CI passes. Add an author/repo-origin trust check (for example, verify head.repo.full_name == github.repository and/or an allowlist of actor logins) before enabling auto-merge.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Use a real maintainer predicate for owner PRs

github.event.pull_request.user.login == github.repository_owner does not match maintainer-authored PRs when the repository owner is an organization (as in ANcpLua/ANcpLua.NET.Sdk), so the documented “Owner PRs” path never triggers unless the branch also matches an AI-agent prefix. This regresses the intended auto-merge behavior for human maintainers; switch to a maintainer/member permission check rather than comparing author login to repository owner.

Useful? React with 👍 / 👎.