ci: add auto-merge gates (merge-gate + auto-merge workflows)#193
Conversation
- merge-gate.yml: aggregates unit-tests, pr-validation, security, and contract-gate into a single 'All Gates Passed' fan-in job that branch protection rules reference as the single required status check - auto-merge.yml: enables/disables GitHub native squash auto-merge via the 'auto-merge' label; also triggers on approving review when the label is already present" Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/0952772f-b6d1-4cd0-9c23-9737a6a9edb0 Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/0952772f-b6d1-4cd0-9c23-9737a6a9edb0 Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>
Reviewer's GuideAdds two GitHub Actions workflows: a Merge Gate fan-in workflow that aggregates multiple quality gates into a single required status check for main, and an Auto Merge workflow that toggles GitHub’s native squash auto-merge based on an Sequence diagram for Auto Merge label-based enable/disable flowsequenceDiagram
actor Dev as Developer
participant GH as GitHub
participant AutoMerge as Auto Merge workflow
participant GHCLI as gh_cli
participant PR as Pull Request
Dev->>GH: Add auto-merge label
GH-->>AutoMerge: pull_request labeled(auto-merge)
AutoMerge->>GHCLI: gh pr merge --auto --squash PR_URL
GHCLI-->>PR: Enable GitHub auto-merge (squash)
AutoMerge->>GHCLI: gh pr comment PR_URL (auto-merge enabled)
Dev->>GH: Approve PR that already has auto-merge label
GH-->>AutoMerge: pull_request_review submitted(approved)
AutoMerge->>GHCLI: gh pr merge --auto --squash PR_URL (idempotent)
GHCLI-->>PR: Auto-merge remains enabled
Dev->>GH: Remove auto-merge label
GH-->>AutoMerge: pull_request unlabeled(auto-merge)
AutoMerge->>GHCLI: gh pr merge --disable-auto PR_URL
GHCLI-->>PR: Disable GitHub auto-merge
AutoMerge->>GHCLI: gh pr comment PR_URL (auto-merge disabled)
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Dependency ReviewThe following issues were found:
License Issues.github/workflows/merge-gate.yml
OpenSSF Scorecard
Scanned Files
|
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- In the
gates-passedjob, skipped gates are always reported asskipped (draft PR)even though future changes could cause a gate to skip for other reasons; consider making the summary text reflect genericskippedresults rather than attributing them specifically to drafts. - The
Auto Mergeworkflow posts a new status comment every time auto-merge is (re-)enabled or disabled, which may generate noise on PRs with multiple approvals/label toggles; consider checking for an existing bot comment and updating it or making the operation idempotent with fewer repeated comments.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In the `gates-passed` job, skipped gates are always reported as `skipped (draft PR)` even though future changes could cause a gate to skip for other reasons; consider making the summary text reflect generic `skipped` results rather than attributing them specifically to drafts.
- The `Auto Merge` workflow posts a new status comment every time auto-merge is (re-)enabled or disabled, which may generate noise on PRs with multiple approvals/label toggles; consider checking for an existing bot comment and updating it or making the operation idempotent with fewer repeated comments.
## Individual Comments
### Comment 1
<location path=".github/workflows/auto-merge.yml" line_range="51-55" />
<code_context>
+ # Enable auto-merge when the `auto-merge` label is applied OR when an
+ # approving review arrives on a PR that already carries the label.
+ # ---------------------------------------------------------------------------
+ enable:
+ name: Enable Auto-Merge
+ runs-on: ubuntu-latest
+ timeout-minutes: 5
+ if: >-
+ github.event.pull_request.head.repo.full_name == github.repository &&
+ (
</code_context>
<issue_to_address>
**issue:** Guard auto-merge enabling against draft PRs to avoid `gh pr merge` failures.
This job can trigger for draft PRs (e.g., when the label is added early or an approval happens while still in draft). Since GitHub disallows enabling auto-merge on drafts, `gh pr merge --auto --squash` will fail and create noisy workflow runs. Please extend the `if` condition to also check `github.event.pull_request.draft == false` so the job only runs once the PR is no longer a draft.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| enable: | ||
| name: Enable Auto-Merge | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 5 | ||
| if: >- |
There was a problem hiding this comment.
issue: Guard auto-merge enabling against draft PRs to avoid gh pr merge failures.
This job can trigger for draft PRs (e.g., when the label is added early or an approval happens while still in draft). Since GitHub disallows enabling auto-merge on drafts, gh pr merge --auto --squash will fail and create noisy workflow runs. Please extend the if condition to also check github.event.pull_request.draft == false so the job only runs once the PR is no longer a draft.
🔴 Coverage —
|
| Metric | Value |
|---|---|
| Total coverage | 59.6% |
→ vs main |
0.0% |
| Minimum threshold | 60% |
Updated on every push · 2026-05-06
There was a problem hiding this comment.
Pull request overview
Adds CI automation to consolidate multiple PR quality checks into a single required “merge gate” status, and introduces a label-driven workflow to toggle GitHub native auto-merge for same-repo PRs.
Changes:
- Adds a
Merge Gateworkflow that runs unit tests, PR validation, dependency security review, and an integration contract gate, then fans-in to a single required job (All Gates Passed). - Adds an
Auto Mergeworkflow that enables/disables GitHub squash auto-merge based on theauto-mergelabel and (re-)enables on approval events when the label is already present.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/merge-gate.yml | Introduces concurrent gate jobs and a single fan-in job intended to be the only branch protection required check. |
| .github/workflows/auto-merge.yml | Adds label/review-triggered automation to enable/disable GitHub native auto-merge via gh pr merge --auto/--disable-auto. |
| - name: Post status comment | ||
| env: | ||
| PR_URL: ${{ github.event.pull_request.html_url }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| set -euo pipefail | ||
| COMMENT="🤖 **Auto-merge enabled.** This PR will merge automatically once all required status checks pass and required approvals are satisfied. Remove the \`auto-merge\` label at any time to cancel." | ||
| gh pr comment "$PR_URL" --body "$COMMENT" | ||
|
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c9e62fafc4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if [[ -f scripts/fast_validate.py ]]; then | ||
| python scripts/fast_validate.py | ||
| else | ||
| echo "::notice::scripts/fast_validate.py not found, skipping" |
There was a problem hiding this comment.
Fail PR validation when fast_validate script is missing
This gate silently passes when scripts/fast_validate.py is absent, which lets a PR remove or rename that validator without tripping the required PR Validation check. Because Merge Gate / All Gates Passed is intended to be the branch-protection fan-in, treating a missing validator as success weakens the protection and can allow invalid workflow/config changes through. Make this step fail when the script is missing so the gate remains enforceable.
Useful? React with 👍 / 👎.
…e endings, and incorporate new commits Changes incorporated from main: - SQL fallback hardening (PR #194) - Auto-merge gates (PR #193) - Pre-commit hook scoped to changed files (PR #192) - Line ending normalization via .gitattributes Conflict resolution strategy: - GitHub Actions workflow files: kept our SHA-pinned versions - All other conflicted files: took main's version - Preserved our security fixes (raise_for_status, XSS fixes, permissions) Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>
…aining health (#173) * Consolidate all open PR changes: docs, CI fixes, Node.js 24 migration, SHA pinning, training health fix Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/14928084-823d-468d-9908-c68e5b97057a Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com> * Fix training health error message per code review feedback Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/14928084-823d-468d-9908-c68e5b97057a Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com> * Update .github/workflows/markdown-quality.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com> * fix: replace placeholder SHA with real SHA for markdownlint-cli2-action v23 Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/4d587816-47b9-479f-9922-4a8492d1785d Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com> * fix: restore -r requirements.txt in requirements-dev.txt and add raise_for_status() in test_auto_execute.py Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/7d3b442c-1f03-4df7-b115-613bcc44885e Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com> * chore: sync with origin/main - resolve merge conflicts and incorporate new files - Resolved all merge conflicts between PR branch and origin/main: - .devcontainer/devcontainer.json: install both requirements.txt and requirements-dev.txt - .github/copilot-instructions.md: removed quantum-llm entries, added visible-reasoning.agent.md row - .github/prompts/agi.prompt.md: kept comprehensive main content with hidden-CoT front-matter - .github/workflows/actionlint.yml: kept SHA pin, adopted fail_level=error from main - .github/workflows/*.yml (15 files): kept SHA-pinned versions - .github/workflows/quantum-orchestration.yml: merged enhanced inputs from main + SHA pins - .github/workflows/pr-tests.yml: merged all env vars + SHA pins - .github/workflows/makecode.yml: deleted (removed in main) - README.md: accepted main's clean badge removal - apps/aria/test_auto_execute.py: kept raise_for_status() security fix - Added new files from main: - .gitattributes: LF line ending normalization - .github/agents/visible-reasoning.agent.md: new visible-reasoning agent - .markdownlint.yaml: markdownlint configuration - CODE_OF_CONDUCT.md: code of conduct - ai-projects/quantum-ml/src/quantum_llm/: quantum LLM module - tests/test_quantum_llm.py: quantum LLM tests Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com> * chore: sync with origin/main - resolve merge conflicts and incorporate new files Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/6b1e0324-3931-4edc-8aac-ca175cf68da0 Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com> * Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com> * Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com> * Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com> * Potential fix for pull request finding 'CodeQL / DOM text reinterpreted as HTML' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com> * Potential fix for pull request finding 'CodeQL / DOM text reinterpreted as HTML' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com> * Potential fix for pull request finding 'CodeQL / DOM text reinterpreted as HTML' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com> * Potential fix for pull request finding 'CodeQL / DOM text reinterpreted as HTML' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com> * chore: sync with origin/main - resolve merge conflicts, normalize line endings, and incorporate new commits Changes incorporated from main: - SQL fallback hardening (PR #194) - Auto-merge gates (PR #193) - Pre-commit hook scoped to changed files (PR #192) - Line ending normalization via .gitattributes Conflict resolution strategy: - GitHub Actions workflow files: kept our SHA-pinned versions - All other conflicted files: took main's version - Preserved our security fixes (raise_for_status, XSS fixes, permissions) Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com> --------- Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
No single aggregated required check existed for branch protection, and there was no mechanism to enable auto-merge on regular PRs (only Dependabot had this).
merge-gate.ymlFour gates run concurrently on every non-draft PR to
main, funneling into a single fan-in job that branch protection references as the one required status check:unit-testsslow,azure,integrationmarkers)pr-validationfast_validate.pysecuritydependency-review-action— blocks high-severity CVEs and GPL/AGPL licensescontract-gateAll Gates PassedfailureorcancelledresultBranch protection config: add
Merge Gate / All Gates Passedas the sole required status check onmain. Draft PRs skip all gates; the fan-in still passes.auto-merge.ymlDrives GitHub native squash auto-merge via the
auto-mergelabel — does not bypass branch protection or required reviews.labeled→gh pr merge --auto --squash+ commentunlabeled→gh pr merge --disable-auto+ commentOne-time label setup:
gh label create auto-merge --color 0075ca --description "Enable auto-merge when checks pass"Summary by Sourcery
Introduce a consolidated merge gate workflow and a label-driven auto-merge workflow for pull requests targeting main.
CI:
auto-mergelabel and review events, without bypassing branch protection.