ci(safe-cosmetic): HMAC-authorized, label-gated auto-merge workflow#73
Merged
Conversation
Operator-sanctioned exception (2026-06-06) to per-push approval for comment/whitespace/doc-only PRs. Merges a PR labeled SAFE-COSMETIC into master once all six required Linux contexts pass: Linux x86_64, Linux x86_64 (AsAN+UBSan), and the ltc/doge/dash/btc coin smokes. Gate matches BARE check-run names (the REST API form), not the CI / ... UI form, verified against live PR #68 check data. Guarded by a fail-closed SAFE_COSMETIC_ENABLED repo-variable kill-switch, label presence, base==master, and non-draft/open state.
Require a valid integrator HMAC authorization comment, bound to the PR head SHA, before the SAFE-COSMETIC auto-merge fires. The gate recomputes HMAC-SHA256(INTEGRATOR_LABEL_KEY, "<repo>:<pr>:<head-sha>") and merges only when a comment of the exact shape SAFE-COSMETIC-AUTH: <hmac> head=<head-sha> matches the current head. A new push changes the head SHA and silently invalidates any prior signature, so authorizations cannot be replayed across PRs or SHAs. Enforced only once a PR is otherwise green; on a green PR lacking valid authorization the gate fails closed: strips the label, posts a refusal, and fails the job. SAFE_COSMETIC_ENABLED kill-switch retained as an AND gate; bare check-run names and the (AsAN+UBSan) literal unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the operator-sanctioned SAFE-COSMETIC auto-merge workflow with a head-SHA-bound HMAC authorization gate (operator-ratified 2026-06-06).
Gate (all must hold to merge)
SAFE_COSMETIC_ENABLEDrepo variable ==true— operator kill-switch, fail-closed.SAFE-COSMETIClabel.master(STRICT).(AsAN+UBSan)literal):Linux x86_64,Linux x86_64 (AsAN+UBSan), plusltc/doge/dash/btc smoke (Linux x86_64).HMAC authorization
The integrator posts a comment of the exact shape:
where
<hmac> = HMAC-SHA256(INTEGRATOR_LABEL_KEY, "<repo>:<pr>:<head-sha>")lowercase hex. The workflow recomputes the expected value over the PRs current head and merges only on an exact full-line match. A new push changes the head SHA and silently invalidates any prior signature — authorizations cannot be replayed across PRs or SHAs. The key lives only as theINTEGRATOR_LABEL_KEYActions secret and is never emitted.Enforced only once a PR is otherwise green; on a green PR lacking valid authorization the gate fails closed (strips the label, posts a refusal, fails the job).
Merge remains operator push-approval gated.