Skip to content

ci: add auto-merge gates (merge-gate + auto-merge workflows)#193

Merged
Bryan-Roe merged 2 commits into
mainfrom
copilot/set-up-auto-merge-gates
May 6, 2026
Merged

ci: add auto-merge gates (merge-gate + auto-merge workflows)#193
Bryan-Roe merged 2 commits into
mainfrom
copilot/set-up-auto-merge-gates

Conversation

Copilot AI commented May 6, 2026

Copy link
Copy Markdown
Contributor

No single aggregated required check existed for branch protection, and there was no mechanism to enable auto-merge on regular PRs (only Dependabot had this).

merge-gate.yml

Four gates run concurrently on every non-draft PR to main, funneling into a single fan-in job that branch protection references as the one required status check:

Job Purpose
unit-tests pytest (excludes slow, azure, integration markers)
pr-validation workflow YAML, function bindings, fast_validate.py
security dependency-review-action — blocks high-severity CVEs and GPL/AGPL licenses
contract-gate site bundles, composite actions, integration contract
All Gates Passed fan-in; fails on any failure or cancelled result

Branch protection config: add Merge Gate / All Gates Passed as the sole required status check on main. Draft PRs skip all gates; the fan-in still passes.

auto-merge.yml

Drives GitHub native squash auto-merge via the auto-merge label — does not bypass branch protection or required reviews.

  • labeledgh pr merge --auto --squash + comment
  • unlabeledgh pr merge --disable-auto + comment
  • Approving review on a PR already carrying the label → re-triggers enable (idempotent)
  • Fork PRs silently skipped (read-only token)

One-time label setup:

gh label create auto-merge --color 0075ca --description "Enable auto-merge when checks pass"

Summary by Sourcery

Introduce a consolidated merge gate workflow and a label-driven auto-merge workflow for pull requests targeting main.

CI:

  • Add a Merge Gate workflow that runs unit tests, PR validation, security review, and an integration contract gate, exposing a single aggregated required status check for main.
  • Add an Auto Merge workflow that enables or disables GitHub’s native squash auto-merge based on an auto-merge label and review events, without bypassing branch protection.

Copilot AI and others added 2 commits May 6, 2026 04:06
- merge-gate.yml: aggregates unit-tests, pr-validation, security, and
  contract-gate into a single 'All Gates Passed' fan-in job that branch
  protection rules reference as the single required status check
- auto-merge.yml: enables/disables GitHub native squash auto-merge via
  the 'auto-merge' label; also triggers on approving review when the
  label is already present"

Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/0952772f-b6d1-4cd0-9c23-9737a6a9edb0

Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>
@sourcery-ai

sourcery-ai Bot commented May 6, 2026

Copy link
Copy Markdown
Contributor

Reviewer's Guide

Adds two GitHub Actions workflows: a Merge Gate fan-in workflow that aggregates multiple quality gates into a single required status check for main, and an Auto Merge workflow that toggles GitHub’s native squash auto-merge based on an auto-merge label without bypassing branch protection.

Sequence diagram for Auto Merge label-based enable/disable flow

sequenceDiagram
  actor Dev as Developer
  participant GH as GitHub
  participant AutoMerge as Auto Merge workflow
  participant GHCLI as gh_cli
  participant PR as Pull Request

  Dev->>GH: Add auto-merge label
  GH-->>AutoMerge: pull_request labeled(auto-merge)
  AutoMerge->>GHCLI: gh pr merge --auto --squash PR_URL
  GHCLI-->>PR: Enable GitHub auto-merge (squash)
  AutoMerge->>GHCLI: gh pr comment PR_URL (auto-merge enabled)

  Dev->>GH: Approve PR that already has auto-merge label
  GH-->>AutoMerge: pull_request_review submitted(approved)
  AutoMerge->>GHCLI: gh pr merge --auto --squash PR_URL (idempotent)
  GHCLI-->>PR: Auto-merge remains enabled

  Dev->>GH: Remove auto-merge label
  GH-->>AutoMerge: pull_request unlabeled(auto-merge)
  AutoMerge->>GHCLI: gh pr merge --disable-auto PR_URL
  GHCLI-->>PR: Disable GitHub auto-merge
  AutoMerge->>GHCLI: gh pr comment PR_URL (auto-merge disabled)
Loading

File-Level Changes

Change Details Files
Introduce a Merge Gate workflow that runs multiple CI gates and funnels them into a single required status check for PRs targeting main.
  • Trigger on pull_request events to main (non-draft) with concurrency keyed by PR number and default read-only permissions.
  • Define four parallel gate jobs: unit tests (pytest with selected markers), PR validation (workflow YAML, function bindings, optional fast_validate.py), security review (dependency-review-action with severity and license restrictions), and integration contract checks (site bundles, composite actions, integration contract gate).
  • Add a fan-in job that depends on all four gates, evaluates their results (including draft skips), writes a human-readable summary, and fails if any gate failed or was cancelled so it can be used as the single branch protection check.
.github/workflows/merge-gate.yml
Add an Auto Merge workflow that enables or disables GitHub native squash auto-merge controlled by an auto-merge label.
  • Trigger on pull_request label changes and pull_request_review submissions with write permissions for contents and pull-requests and concurrency per PR to avoid races.
  • Enable auto-merge when the auto-merge label is applied or an approving review is submitted on a labeled PR, restricted to same-repo PRs, using gh CLI to enable --auto --squash and posting a status comment plus step summary.
  • Disable auto-merge when the auto-merge label is removed, again restricted to same-repo PRs, using gh CLI to disable auto-merge and posting a status comment plus step summary.
.github/workflows/auto-merge.yml

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@Bryan-Roe Bryan-Roe marked this pull request as ready for review May 6, 2026 04:34
@Bryan-Roe Bryan-Roe self-requested a review as a code owner May 6, 2026 04:34
Copilot AI review requested due to automatic review settings May 6, 2026 04:34
@github-actions

github-actions Bot commented May 6, 2026

Copy link
Copy Markdown
Contributor

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
See the Details below.

License Issues

.github/workflows/merge-gate.yml

PackageVersionLicenseIssue Type
actions/checkout4.*.*NullUnknown License
actions/dependency-review-action4.*.*NullUnknown License
Denied Licenses: GPL-2.0, GPL-3.0, AGPL-3.0

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 4.*.* 🟢 5.7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/dependency-review-action 4.*.* 🟢 7.8
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Security-Policy🟢 9security policy file detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
SAST🟢 10SAST tool is run on all commits

Scanned Files

  • .github/workflows/merge-gate.yml

@Bryan-Roe Bryan-Roe merged commit bcb9ca2 into main May 6, 2026
49 of 54 checks passed

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

  • In the gates-passed job, skipped gates are always reported as skipped (draft PR) even though future changes could cause a gate to skip for other reasons; consider making the summary text reflect generic skipped results rather than attributing them specifically to drafts.
  • The Auto Merge workflow posts a new status comment every time auto-merge is (re-)enabled or disabled, which may generate noise on PRs with multiple approvals/label toggles; consider checking for an existing bot comment and updating it or making the operation idempotent with fewer repeated comments.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- In the `gates-passed` job, skipped gates are always reported as `skipped (draft PR)` even though future changes could cause a gate to skip for other reasons; consider making the summary text reflect generic `skipped` results rather than attributing them specifically to drafts.
- The `Auto Merge` workflow posts a new status comment every time auto-merge is (re-)enabled or disabled, which may generate noise on PRs with multiple approvals/label toggles; consider checking for an existing bot comment and updating it or making the operation idempotent with fewer repeated comments.

## Individual Comments

### Comment 1
<location path=".github/workflows/auto-merge.yml" line_range="51-55" />
<code_context>
+  # Enable auto-merge when the `auto-merge` label is applied OR when an
+  # approving review arrives on a PR that already carries the label.
+  # ---------------------------------------------------------------------------
+  enable:
+    name: Enable Auto-Merge
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    if: >-
+      github.event.pull_request.head.repo.full_name == github.repository &&
+      (
</code_context>
<issue_to_address>
**issue:** Guard auto-merge enabling against draft PRs to avoid `gh pr merge` failures.

This job can trigger for draft PRs (e.g., when the label is added early or an approval happens while still in draft). Since GitHub disallows enabling auto-merge on drafts, `gh pr merge --auto --squash` will fail and create noisy workflow runs. Please extend the `if` condition to also check `github.event.pull_request.draft == false` so the job only runs once the PR is no longer a draft.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment on lines +51 to +55
enable:
name: Enable Auto-Merge
runs-on: ubuntu-latest
timeout-minutes: 5
if: >-

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: Guard auto-merge enabling against draft PRs to avoid gh pr merge failures.

This job can trigger for draft PRs (e.g., when the label is added early or an approval happens while still in draft). Since GitHub disallows enabling auto-merge on drafts, gh pr merge --auto --squash will fail and create noisy workflow runs. Please extend the if condition to also check github.event.pull_request.draft == false so the job only runs once the PR is no longer a draft.

@github-actions

github-actions Bot commented May 6, 2026

Copy link
Copy Markdown
Contributor

🔴 Coverage — ab898d6

Metric Value
Total coverage 59.6%
→ vs main 0.0%
Minimum threshold 60%

Updated on every push · 2026-05-06

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds CI automation to consolidate multiple PR quality checks into a single required “merge gate” status, and introduces a label-driven workflow to toggle GitHub native auto-merge for same-repo PRs.

Changes:

  • Adds a Merge Gate workflow that runs unit tests, PR validation, dependency security review, and an integration contract gate, then fans-in to a single required job (All Gates Passed).
  • Adds an Auto Merge workflow that enables/disables GitHub squash auto-merge based on the auto-merge label and (re-)enables on approval events when the label is already present.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/merge-gate.yml Introduces concurrent gate jobs and a single fan-in job intended to be the only branch protection required check.
.github/workflows/auto-merge.yml Adds label/review-triggered automation to enable/disable GitHub native auto-merge via gh pr merge --auto/--disable-auto.

Comment on lines +79 to +87
- name: Post status comment
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
COMMENT="🤖 **Auto-merge enabled.** This PR will merge automatically once all required status checks pass and required approvals are satisfied. Remove the \`auto-merge\` label at any time to cancel."
gh pr comment "$PR_URL" --body "$COMMENT"

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c9e62fafc4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +100 to +103
if [[ -f scripts/fast_validate.py ]]; then
python scripts/fast_validate.py
else
echo "::notice::scripts/fast_validate.py not found, skipping"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Fail PR validation when fast_validate script is missing

This gate silently passes when scripts/fast_validate.py is absent, which lets a PR remove or rename that validator without tripping the required PR Validation check. Because Merge Gate / All Gates Passed is intended to be the branch-protection fan-in, treating a missing validator as success weakens the protection and can allow invalid workflow/config changes through. Make this step fail when the script is missing so the gate remains enforceable.

Useful? React with 👍 / 👎.

Copilot AI added a commit that referenced this pull request May 7, 2026
…e endings, and incorporate new commits

Changes incorporated from main:
- SQL fallback hardening (PR #194)
- Auto-merge gates (PR #193)
- Pre-commit hook scoped to changed files (PR #192)
- Line ending normalization via .gitattributes

Conflict resolution strategy:
- GitHub Actions workflow files: kept our SHA-pinned versions
- All other conflicted files: took main's version
- Preserved our security fixes (raise_for_status, XSS fixes, permissions)

Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>
Bryan-Roe added a commit that referenced this pull request May 9, 2026
…aining health (#173)

* Consolidate all open PR changes: docs, CI fixes, Node.js 24 migration, SHA pinning, training health fix

Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/14928084-823d-468d-9908-c68e5b97057a

Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>

* Fix training health error message per code review feedback

Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/14928084-823d-468d-9908-c68e5b97057a

Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>

* Update .github/workflows/markdown-quality.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>

* fix: replace placeholder SHA with real SHA for markdownlint-cli2-action v23

Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/4d587816-47b9-479f-9922-4a8492d1785d

Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>

* fix: restore -r requirements.txt in requirements-dev.txt and add raise_for_status() in test_auto_execute.py

Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/7d3b442c-1f03-4df7-b115-613bcc44885e

Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>

* chore: sync with origin/main - resolve merge conflicts and incorporate new files

- Resolved all merge conflicts between PR branch and origin/main:
  - .devcontainer/devcontainer.json: install both requirements.txt and requirements-dev.txt
  - .github/copilot-instructions.md: removed quantum-llm entries, added visible-reasoning.agent.md row
  - .github/prompts/agi.prompt.md: kept comprehensive main content with hidden-CoT front-matter
  - .github/workflows/actionlint.yml: kept SHA pin, adopted fail_level=error from main
  - .github/workflows/*.yml (15 files): kept SHA-pinned versions
  - .github/workflows/quantum-orchestration.yml: merged enhanced inputs from main + SHA pins
  - .github/workflows/pr-tests.yml: merged all env vars + SHA pins
  - .github/workflows/makecode.yml: deleted (removed in main)
  - README.md: accepted main's clean badge removal
  - apps/aria/test_auto_execute.py: kept raise_for_status() security fix

- Added new files from main:
  - .gitattributes: LF line ending normalization
  - .github/agents/visible-reasoning.agent.md: new visible-reasoning agent
  - .markdownlint.yaml: markdownlint configuration
  - CODE_OF_CONDUCT.md: code of conduct
  - ai-projects/quantum-ml/src/quantum_llm/: quantum LLM module
  - tests/test_quantum_llm.py: quantum LLM tests

Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>

* chore: sync with origin/main - resolve merge conflicts and incorporate new files

Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/6b1e0324-3931-4edc-8aac-ca175cf68da0

Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>

* Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>

* Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>

* Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>

* Potential fix for pull request finding 'CodeQL / DOM text reinterpreted as HTML'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>

* Potential fix for pull request finding 'CodeQL / DOM text reinterpreted as HTML'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>

* Potential fix for pull request finding 'CodeQL / DOM text reinterpreted as HTML'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>

* Potential fix for pull request finding 'CodeQL / DOM text reinterpreted as HTML'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>

* chore: sync with origin/main - resolve merge conflicts, normalize line endings, and incorporate new commits

Changes incorporated from main:
- SQL fallback hardening (PR #194)
- Auto-merge gates (PR #193)
- Pre-commit hook scoped to changed files (PR #192)
- Line ending normalization via .gitattributes

Conflict resolution strategy:
- GitHub Actions workflow files: kept our SHA-pinned versions
- All other conflicted files: took main's version
- Preserved our security fixes (raise_for_status, XSS fixes, permissions)

Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>

---------

Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants